From Fedora Project Wiki

(Prequisite link)
Line 2: Line 2:
 
|description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier.
 
|description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test.
 
# Move <code>/etc/krb5.conf</code> away if it exists:
 
# Move <code>/etc/krb5.conf</code> away if it exists:
 
#: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre>
 
#: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre>

Revision as of 17:11, 8 May 2013

Description

Work has been done to make krb5 configurationless, and unbreak the default /etc/krb5.conf that was distributed with Fedora 17 and earlier.

Setup

  1. Perform prerequisite setup before you run this test.
  2. Move /etc/krb5.conf away if it exists:
    $ sudo mv /etc/krb5.conf /etc/krb5.conf.bak

How to test

  1. Do a kinit against your Active Directory domain. Yes it's vital that you use the fully capitalized form of the domain name.
    $ kinit Administrator@AD.EXAMPLE.COM
    You should be prompted for a password, and no error message should be printed.
  2. Now place the File:Default-example-krb5.conf into place. This is the default config distributed with krb5-libs.
    $ sudo vi /etc/krb5.conf
  3. Do a kinit again.
    $ kinit Administrator@AD.EXAMPLE.COM

Expected Results

The kinit commands should complete successfully

Look at the ticket that kinit retrieved. It should look something like:

$ klist -e
Ticket cache: DIR::/run/user/1000/krb5cc_...
Default principal: Administrator@AD.EXAMPLE.COM

Valid starting     Expires            Service principal
10/15/12 00:52:34  10/15/12 10:52:34  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        renew until 10/16/12 00:52:39, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96



Troubleshooting

  • Make sure that you capitalize the domain name.
  • If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
  • If the above fails with 'Clock skew' that means your clock and that of the domain are not syncronized. If you setup the Active Directory domain, set its clock appropriately, or use ntpdate to sync time.
  • In future Fedora releases clock skew will not be an issue.