Description

Work has been done to make krb5 configurationless, and unbreak the default /etc/krb5.conf that was distributed with Fedora 17 and earlier.

Setup

1. Perform prerequisite setup before you run this test.
2. Move /etc/krb5.conf away if it exists:

   $ sudo mv /etc/krb5.conf /etc/krb5.conf.bak

How to test

1. Do a kinit against your Active Directory domain. Yes it's vital that you use the fully capitalized form of the domain name.

   $ kinit Administrator@AD.EXAMPLE.COM

   You should be prompted for a password, and no error message should be printed.

2. Now place the default krb5.conf into place. This is the default config distributed with krb5-libs.

   $ sudo yum reinstall krb5-libs

   Check that /etc/krb5.conf now exists.

3. Do a kinit again.

   $ kinit Administrator@AD.EXAMPLE.COM

Expected Results

The kinit commands should complete successfully

Look at the ticket that kinit retrieved. It should look something like:

$ klist -e
Ticket cache: DIR::/run/user/1000/krb5cc_...
Default principal: Administrator@AD.EXAMPLE.COM

Valid starting     Expires            Service principal
10/15/12 00:52:34  10/15/12 10:52:34  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        renew until 10/16/12 00:52:39, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Troubleshooting

• Make sure that you capitalize the domain name.
• If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
• You may get a prompt to change your password if your kerberos account password has expired, this is normal.

• You can move the krb5.conf file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default.

• If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[1]]