[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kpasswd failed to lookup password server from DNS SRV

To: John Mok <jmok@attglobal.net>
Subject: Re: kpasswd failed to lookup password server from DNS SRV
From: Michael B Allen <miallen@ioplex.com>
Date: Fri, 13 Jun 2008 02:35:38 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <485201FD.6010601@attglobal.net>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <4851C6D1.6060607@attglobal.net><4E766B59-C6AC-4A41-A2E4-D005CDC38DAD@jpl.nasa.gov><485201FD.6010601@attglobal.net>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Fri, 13 Jun 2008 13:13:33 +0800
John Mok <jmok@attglobal.net> wrote:

> Hi Henry,
> 
> Thanks for your reply.
> 
> It was a tpyo
> 
> @ bogus.example.com
> _kerberos._udp IN SRV 1 0 88 kerberos.bogus.example.com
> _kerberos._tcp IN SRV 1 0 88 kerberos.bogus.example.com
> _kerberos-adm._tcp IN SRV 1 0 749 kerberos.bogus.example.com
> _kpasswd._udp IN SRV 1 0 464 kerberos.bogus.example.com
> 
> I am using Heimdal 1.2. Since I could kinit the kerberos principal 
> without setting the krb5.conf, I think the DNS discovery by SRV records 
> is working fine. However, my problem is that I can change the password 
> in kadmin but fail to change the password with kpasswd and the error 
> message was  "kpasswd: krb5_set_password_using_ccache: unable to reach 
> any changepw server in realm BOGUS.EXAMPLE.COM".
> 
> Is it a problem of DNS setting? or I have to add more SRV records in 
> order to make it work?

Do you have an A record for kerberos.bogus.example.com?

In practice I don't recall seeing kpasswd actually use _kpasswd._udp.REALM
to lookup the kpasswd server. It just uses the kdc according to the
krb5.conf. And if that's not set it will try _kerberos._udp.REALM.

Is there a firewall in the way?

The quickest way to find out what's going on is to get a capture.

Mike

> Henry B. Hotz wrote:
> > 
> > On Jun 12, 2008, at 6:01 PM, John Mok wrote:
> > 
> >> Hi,
> >>
> >> I tried to setup Kerberos server with DNS discovery on Ubuntu 6.02.2 
> >> LTS. The DNS SRV records for Kerberos discovery :-
> >>
> >> @ example.com
> > 
> > I think this should be @ bogus.example.com, unless that's a 
> > transcription error.
> > 
> >> _kerberos._udp IN SRV 1 0 88 kerberos.bogus.example.com
> >> _kerberos._tcp IN SRV 1 0 88 kerberos.bogus.example.com
> >> _kerberos-adm._tcp IN SRV 1 0 749 kerberos.bogus.example.com
> >> _kpasswd._udp IN SRV 1 0 464 kerberos.bogus.example.com
> >>
> >> I could dig the SRV records correctly, and I could kinit the kerberos 
> >> principal on a remote host successfully. However, when I tried to 
> >> change the password on the remote host, it failed and returned an 
> >> error message  "kpasswd: krb5_set_password_using_ccache: unable to 
> >> reach any changepw server in realm BOGUS.EXAMPLE.COM"
> >>
> >> I hope someone could advise if there is anything missing in my config?
> >>
> >> Thanks a lot.
> >>
> >> John Mok
> > 
> 


-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Follow-Ups:
- Re: kpasswd failed to lookup password server from DNS SRV
  - From: John Mok <jmok@attglobal.net>

References:
- kpasswd failed to lookup password server from DNS SRV
  - From: John Mok <jmok@attglobal.net>
- Re: kpasswd failed to lookup password server from DNS SRV
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: kpasswd failed to lookup password server from DNS SRV
  - From: John Mok <jmok@attglobal.net>

Prev by Date: Re: kpasswd failed to lookup password server from DNS SRV
Next by Date: heimdal-1.2 and nfs-utils
Prev by thread: Re: kpasswd failed to lookup password server from DNS SRV
Next by thread: Re: kpasswd failed to lookup password server from DNS SRV
Index(es):
- Date
- Thread