From Fedora Project Wiki
(Add troubleshooting) |
No edit summary |
||
(5 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
|description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier. | |description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier. | ||
|setup= | |setup= | ||
# [[ | # Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test. | ||
# Move <code>/etc/krb5.conf</code> away if it exists: | # Move <code>/etc/krb5.conf</code> away if it exists: | ||
#: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre> | #: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre> | ||
Line 9: | Line 9: | ||
#: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre> | #: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre> | ||
#: You should be prompted for a password, and no error message should be printed. | #: You should be prompted for a password, and no error message should be printed. | ||
# Now place the | # Now place the default krb5.conf into place. This is the default config distributed with <code>krb5-libs</code>. | ||
#: <pre>$ sudo | #: <pre>$ sudo yum reinstall krb5-libs</pre> | ||
#: Check that <code>/etc/krb5.conf</code> now exists. | |||
# Do a <code>kinit</code> again. | # Do a <code>kinit</code> again. | ||
#: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre> | #: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre> | ||
Line 32: | Line 33: | ||
* Make sure that you capitalize the domain name. | * Make sure that you capitalize the domain name. | ||
* If the above fails with 'Preauthentication failed' then you probably typed the wrong password. | * If the above fails with 'Preauthentication failed' then you probably typed the wrong password. | ||
* | * You may get a prompt to change your password if your kerberos account password has expired, this is normal. | ||
[[Category:Active_Directory_Test_Cases]] | * You can move the <code>krb5.conf</code> file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default. | ||
* If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[https://bugzilla.redhat.com/show_bug.cgi?id=961235]] | |||
[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]] |
Latest revision as of 08:56, 9 May 2013
Description
Work has been done to make krb5
configurationless, and unbreak the default /etc/krb5.conf
that was distributed with Fedora 17 and earlier.
Setup
- Perform prerequisite setup before you run this test.
- Move
/etc/krb5.conf
away if it exists:$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak
How to test
- Do a
kinit
against your Active Directory domain. Yes it's vital that you use the fully capitalized form of the domain name.$ kinit Administrator@AD.EXAMPLE.COM
- You should be prompted for a password, and no error message should be printed.
- Now place the default krb5.conf into place. This is the default config distributed with
krb5-libs
.$ sudo yum reinstall krb5-libs
- Check that
/etc/krb5.conf
now exists.
- Do a
kinit
again.$ kinit Administrator@AD.EXAMPLE.COM
Expected Results
The kinit
commands should complete successfully
Look at the ticket that kinit
retrieved. It should look something like:
$ klist -e Ticket cache: DIR::/run/user/1000/krb5cc_... Default principal: Administrator@AD.EXAMPLE.COM Valid starting Expires Service principal 10/15/12 00:52:34 10/15/12 10:52:34 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM renew until 10/16/12 00:52:39, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Troubleshooting
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- You may get a prompt to change your password if your kerberos account password has expired, this is normal.
- You can move the
krb5.conf
file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default.
- If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[1]]