HPE Community
Operating System - HP-UX
1824488 Members
3487 Online
109672 Solutions
New Discussion юеВ

Kerberos : Unable to connect the default realm

 
Andry Ramananantoandro
Occasional Contributor

тАО11-03-2004 04:54 AM

тАО11-03-2004 04:54 AM

Kerberos : Unable to connect the default realm

I am trying to delegate HP-UX 11 authentication to Windows 2003 via PAM Kerberos and LDAP-UX.

I get this error when I lauch pamkrbval -v :
__________________________
Validating the pam configuration files
Validating the /etc/pam.conf file
[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf
[PASS] : The validation of config file: /etc/pam.conf passed
[NOTICE] : The validation of config file: /etc/pam_user.conf is not done as libpam_updbe library is not configured Validating the kerberos config file
[PASS] : Initialization of kerberos passed Connecting to default Realm
[LOG] : The default realm is : MYDOMAIN.COM
[LOG] : KDC hosts for realm MYDOMAIN.COM :dc.mydomain.com
[LOG] : Trying to contact KDC for realm MYDOMAIN.COM...
[FAIL] : Unable to connect the default realm Validating the keytab entry for the host service principal
[LOG] : Host freo0071, aka freo0071.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct
.Keytab entry
Principal: host
Host : freo0071
Realm : MYDOMAIN.COM
Version : 3
[LOG] : Pinging KDC for keytab entry host/freo0071@MYDOMAIN.COM
pamkrbval: Invalid argument for this entry
[LOG] : The keytab entry for the host service principal is not a valid one
[FAIL] : The keytab validation Failed
__________________


It looks as if the HP-UX server cannot reach the domain controller.
Though it can reach it via telnet (on ports 88 and 464).
Also note that LDAP-UX works fine !


_________________________

The krb5.conf file :

[libdefaults]
default_realm = MYDOMAIN.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2
[realms]
MYDOMAIN.COM = {
kdc = fres0000.mydomain.com:88
kpasswd_server = fres0000.mydomain.com:464
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
. = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
0 Kudos
4 REPLIES 4
Sundar_7
Honored Contributor

тАО11-03-2004 07:06 AM

тАО11-03-2004 07:06 AM

Re: Kerberos : Unable to connect the default realm

Run /opt/krbsup/bin/krb_config. This will add the approriate entries to your /etc/krb5.conf and also to /etc/services file.

Try removing the port numbers for KDC and KPASSWD_SERVERs. I believe 88 and 464 are the default port numbers.

Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Andry Ramananantoandro
Occasional Contributor

тАО11-04-2004 01:11 AM

тАО11-04-2004 01:11 AM

Re: Kerberos : Unable to connect the default realm

Thank you. We tried it but it did not work (same error).

Note that we tried the same configuration in march 2004 and it worked then.
It's the first time we see "Unable to connect the default realm".

Any other idea ?
0 Kudos
Andry Ramananantoandro
Occasional Contributor

тАО11-04-2004 03:43 AM

тАО11-04-2004 03:43 AM

Re: Kerberos : Unable to connect the default realm

OK, so we've done a few tests on :
tusc pamkrbval shows that the error appear each time a kdc is trying to be reached :

socket (AF_INETn, SOCK_DGRAM,0) ... =4
ioctl(4, SIOCGIFCONF, 0x7f0b209c) ... ERR#22 EINVAL


For information, there are two network cards on the system, not connected to the same network.
But the hostname we use for Kerberos is the one connected to the LAN and declared in AD.
0 Kudos
Andry Ramananantoandro
Occasional Contributor

тАО11-08-2004 01:33 AM

тАО11-08-2004 01:33 AM

Re: Kerberos : Unable to connect the default realm

The HP-UX machine had too many virtual LAN IP addresses. Kerberos does not work when there are more than 32 separate interfaces.
There is a fix (JAGaf26885) that is only currently available on 11i (not for 11.00).
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.