pamkrbval: KDC policy rejects request for this entryThis is a discussion on pamkrbval: KDC policy rejects request for this entry within the Kerberos forums, part of the Protocols category; Hi, I am trying to get an HPUX 11i box to authenticate against our active directory (Windows 2003r2) domain with kerberos but I am getting nowhere fast. As per the ... | ||||||||
| ||||||||
| Unix Content | Register | FAQ | Calendar | Search | Today's Posts | Mark Forums Read |
|
#1
08-26-2008, 02:35 PM
|
 pamkrbval: KDC policy rejects request for this entry Hi, I am trying to get an HPUX 11i box to authenticate against our active directory (Windows 2003r2) domain with kerberos but I am getting nowhere fast. As per the docs I have, I have created a user account in active directory, then used "ktpass -princ host/unix_client.domain.host.com@DOMAIN.HOST.COM -mapuser unix_lient -pass The keytab looks fine when I used ktutil, but I cannot do a kinit... I keep getting "KDC policy rejects request for this entry" I am guessing this is more of a Windows/AD config issue, but thougt someone here might have seen this? cat /etc/krb5.conf [libdefaults] default_realm = DOMAIN.HOST.COM default_tgs_enctypes = DES-CBC-CRC default_tkt_enctypes = DES-CBC-CRC ccache_type = 2 ticket_liftetime = 24000 #dns_lookup_kdc = true [realms] DOMAIN.HOST.COM = { kdc = 2003_dc.domain.host.com kpasswd_server = 2003_dc.domain.host.com:464 } [domain_realm] domain.host.com = DOMAIN.HOST.COM ..domain.host.com = DOMAIN.HOST.COM [logging] default = FILE:/var/adm/krb5lib.log kdc = FILE:/var/adm/krb5kdc.log admin_server = FILE:/var/adm/kKDCmind.log [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } unix_client:/var/adm/syslog >pamkrbval -v Validating the pam configuration files ---------- --- --- ------------- ----- Validating the /etc/pam.conf file [LOG] : The /etc/pam.conf files permissions are fine [LOG] : Opened : /etc/pam.conf [PASS] : The validation of config file: /etc/pam.conf passed [NOTICE] : The validation of config file: /etc/pam_user.conf is not done as libpam_updbe library is not configured Validating the kerberos config file ---------- --- -------- ------ ----- [PASS] : Initialization of kerberos passed Connecting to default Realm ---------- -- ------- ----- [LOG] : The default realm is : DOMAIN.HOST.COM [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM... [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests [PASS] : Default Realm is issuing tickets Validating the keytab entry for the host service principal ---------- --- ------ ----- --- --- ---- ------- --------- [LOG] : Host unix_client, aka unix_client.domain.host.com. [LOG] : The default keytab name is : /etc/krb5.keytab [LOG] : Keytab file /etc/krb5.keytab is present [LOG] : Permissions on /etc/krb5.keytab are correct. Keytab entry Principal: host Host : unix_client.domain.host.com Realm : DOMAIN.HOST.COM Version : 23 [LOG] : Pinging KDC to verify whether host/unix_client.domain.host.com@DOMAIN.HOST.COM exists pamkrbval: KDC policy rejects request for this entry [WARNING] : The keytab entry for the host service principal host/unix_client.domain.host.com@DOMAIN.HOST.COM is invalid [FAIL] : The keytab validation failed Validating the rc_host file for ownership -------- ------ ---- -------- ------ ----- [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful unix_client:/var/adm/syslog >ktutil -i ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 23 host/unix_client.domain@DOMAIN.HOST.COM ktutil: ktutil: unix_client:/var/adm/syslog > unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab host/unix_client.domain.host.com kinit(v5): KDC policy rejects request while getting initial credentials Thanks in advance for any help Regards Richard  |
