From Fedora Project Wiki

(Add link to default krb5.conf file)
 
(6 intermediate revisions by one other user not shown)
Line 2: Line 2:
 
|description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier.
 
|description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier.
 
|setup=
 
|setup=
# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+
# Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test.
 
# Move <code>/etc/krb5.conf</code> away if it exists:
 
# Move <code>/etc/krb5.conf</code> away if it exists:
 
#: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre>
 
#: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre>
Line 9: Line 9:
 
#: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre>
 
#: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre>
 
#: You should be prompted for a password, and no error message should be printed.
 
#: You should be prompted for a password, and no error message should be printed.
# Now place the [[File:Default-example-krb5.conf|default krb5.conf]] into place. This is the default config distributed with <code>krb5-libs</code>.
+
# Now place the default krb5.conf into place. This is the default config distributed with <code>krb5-libs</code>.
#: <pre>$ sudo vi /etc/krb5.conf</pre>
+
#: <pre>$ sudo yum reinstall krb5-libs</pre>
 +
#: Check that <code>/etc/krb5.conf</code> now exists.
 
# Do a <code>kinit</code> again.
 
# Do a <code>kinit</code> again.
 
#: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre>
 
#: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre>
Line 28: Line 29:
 
}}
 
}}
  
[[Category:Active_Directory_Test_Cases]]
+
== Troubleshooting ==
 +
 
 +
* Make sure that you capitalize the domain name.
 +
* If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
 +
* You may get a prompt to change your password if your kerberos account password has expired, this is normal.
 +
 
 +
* You can move the <code>krb5.conf</code> file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default.
 +
 
 +
* If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[https://bugzilla.redhat.com/show_bug.cgi?id=961235]]
 +
 
 +
[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]]

Latest revision as of 08:56, 9 May 2013

Description

Work has been done to make krb5 configurationless, and unbreak the default /etc/krb5.conf that was distributed with Fedora 17 and earlier.

Setup

  1. Perform prerequisite setup before you run this test.
  2. Move /etc/krb5.conf away if it exists:
    $ sudo mv /etc/krb5.conf /etc/krb5.conf.bak

How to test

  1. Do a kinit against your Active Directory domain. Yes it's vital that you use the fully capitalized form of the domain name.
    $ kinit Administrator@AD.EXAMPLE.COM
    You should be prompted for a password, and no error message should be printed.
  2. Now place the default krb5.conf into place. This is the default config distributed with krb5-libs.
    $ sudo yum reinstall krb5-libs
    Check that /etc/krb5.conf now exists.
  3. Do a kinit again.
    $ kinit Administrator@AD.EXAMPLE.COM

Expected Results

The kinit commands should complete successfully

Look at the ticket that kinit retrieved. It should look something like:

$ klist -e
Ticket cache: DIR::/run/user/1000/krb5cc_...
Default principal: Administrator@AD.EXAMPLE.COM

Valid starting     Expires            Service principal
10/15/12 00:52:34  10/15/12 10:52:34  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        renew until 10/16/12 00:52:39, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96



Troubleshooting

  • Make sure that you capitalize the domain name.
  • If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
  • You may get a prompt to change your password if your kerberos account password has expired, this is normal.
  • You can move the krb5.conf file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default.
  • If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[1]]