|
|
On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote:
> I have the answer (which turns out to be another question) after
> spending a couple of dreary days investigating why I get
> dcerpc_bind_auth_send() from openchange (with specified creds) causing
> errors like this:
>
> kinit for Sam@GALAXY failed (Cannot contact any KDC for requested realm:
> unable to reach any KDC in realm GALAXY)
> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for
> requested realm
> Cannot reach a KDC we require to contact host@NOVA
> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
>
> (when GALAXY is a domain value not a REALM value which should be
> galaxy.test.dbamsystems.local) and I have to wait for the time it takes
> to fail this before it continues with the NTML auth (which is what it
> should have been doing all along).
If GALAXY was in the krb5.conf as a realm, it would actually work
(strange, but true).
What we need is to provide a DC location plugin to Heimdal that does a
lookup for the DCs in that domain, and returns them as possible kerberos
KDCs.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
|
|