From Fedora Project Wiki
Description
Work has been done to make krb5
configurationless, and unbreak the default /etc/krb5.conf
that was distributed with Fedora 17 and earlier.
Setup
- Perform prerequisite setup before you run this test.
- Move
/etc/krb5.conf
away if it exists:$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak
How to test
- Do a
kinit
against your Active Directory domain. Yes it's vital that you use the fully capitalized form of the domain name.$ kinit Administrator@AD.EXAMPLE.COM
- You should be prompted for a password, and no error message should be printed.
- Now place the File:Default-example-krb5.conf into place. This is the default config distributed with
krb5-libs
.$ sudo vi /etc/krb5.conf
- Do a
kinit
again.$ kinit Administrator@AD.EXAMPLE.COM
Expected Results
The kinit
commands should complete successfully
Look at the ticket that kinit
retrieved. It should look something like:
$ klist -e Ticket cache: DIR::/run/user/1000/krb5cc_... Default principal: Administrator@AD.EXAMPLE.COM Valid starting Expires Service principal 10/15/12 00:52:34 10/15/12 10:52:34 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM renew until 10/16/12 00:52:39, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Troubleshooting
- Make sure that you capitalize the domain name.
- If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
- If the above fails with 'Clock skew' that means your clock and that of the domain are not syncronized. If you setup the Active Directory domain, set its clock appropriately, or use
ntpdate
to sync time. - In future Fedora releases clock skew will not be an issue.