[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: kpasswd failed to lookup password server from DNS SRV
On Fri, 13 Jun 2008 13:13:33 +0800
John Mok <firstname.lastname@example.org> wrote:
> Hi Henry,
> Thanks for your reply.
> It was a tpyo
> @ bogus.example.com
> _kerberos._udp IN SRV 1 0 88 kerberos.bogus.example.com
> _kerberos._tcp IN SRV 1 0 88 kerberos.bogus.example.com
> _kerberos-adm._tcp IN SRV 1 0 749 kerberos.bogus.example.com
> _kpasswd._udp IN SRV 1 0 464 kerberos.bogus.example.com
> I am using Heimdal 1.2. Since I could kinit the kerberos principal
> without setting the krb5.conf, I think the DNS discovery by SRV records
> is working fine. However, my problem is that I can change the password
> in kadmin but fail to change the password with kpasswd and the error
> message was "kpasswd: krb5_set_password_using_ccache: unable to reach
> any changepw server in realm BOGUS.EXAMPLE.COM".
> Is it a problem of DNS setting? or I have to add more SRV records in
> order to make it work?
Do you have an A record for kerberos.bogus.example.com?
In practice I don't recall seeing kpasswd actually use _kpasswd._udp.REALM
to lookup the kpasswd server. It just uses the kdc according to the
krb5.conf. And if that's not set it will try _kerberos._udp.REALM.
Is there a firewall in the way?
The quickest way to find out what's going on is to get a capture.
> Henry B. Hotz wrote:
> > On Jun 12, 2008, at 6:01 PM, John Mok wrote:
> >> Hi,
> >> I tried to setup Kerberos server with DNS discovery on Ubuntu 6.02.2
> >> LTS. The DNS SRV records for Kerberos discovery :-
> >> @ example.com
> > I think this should be @ bogus.example.com, unless that's a
> > transcription error.
> >> _kerberos._udp IN SRV 1 0 88 kerberos.bogus.example.com
> >> _kerberos._tcp IN SRV 1 0 88 kerberos.bogus.example.com
> >> _kerberos-adm._tcp IN SRV 1 0 749 kerberos.bogus.example.com
> >> _kpasswd._udp IN SRV 1 0 464 kerberos.bogus.example.com
> >> I could dig the SRV records correctly, and I could kinit the kerberos
> >> principal on a remote host successfully. However, when I tried to
> >> change the password on the remote host, it failed and returned an
> >> error message "kpasswd: krb5_set_password_using_ccache: unable to
> >> reach any changepw server in realm BOGUS.EXAMPLE.COM"
> >> I hope someone could advise if there is anything missing in my config?
> >> Thanks a lot.
> >> John Mok
Michael B Allen
PHP Active Directory SPNEGO SSO