on 04-29-2015 12:26 PM
Hi,
I'm following the document in Note 1837331 about setting up Kerberos for SSO with Active Directory.
When setting up the krb5.conf file, I'm having trouble getting it to find the KDC without explicitly specifying them in the file.
The document states that if the records are in DNS (and they are) then you don't need a [realms] section where you manually specify the kdc location but I can't get this to work. If I do specify a [realms] and put a kdc line in there, it works perfectly but I'd like to utilise DNS as the system I'm configuring has 12 domain controllers and I don't want to manually specify each one and manually change each system each time a new DC is added or removed!
I've ran a tcpdump session looking for DNS queries, and when running kinit I don't see any attempts at DNS lookups. It just fails with the below.
Password for USER@UK.EXAMPLE.COM:
com.ibm.security.krb5.KrbException, status code: 60
message: Cannot find KDC for realm UK.EXAMPLE.COM
at com.ibm.security.krb5.p.send(p.java:45)
at com.ibm.security.krb5.KrbAsReq.send(KrbAsReq.java:176)
at com.ibm.security.krb5.p.send(p.java:59)
at com.ibm.security.krb5.KrbAsReq.send(KrbAsReq.java:130)
at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:128)
at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:66)
at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:12)
com.ibm.security.krb5.KrbException, status code: 60
message: Cannot find KDC for realm UK.EXAMPLE.COM
Has anyone made this work?
Kind Regards
Chris
See Below. Assuming that the DNS server configured for the SAP HANA is Windows based and setup for Active Directory, simply querying the domain name should return an available Active Directory KDC. I always have to add something similar to the following (below) to the krb5.conf. You could also use yast to configure the kerberos client. It will create a descent krb5.conf for you. It will also make sure all of the libraries are installed.
Example:
[realms]
DOMAIN.COM = {
kdc = DOMAIN.COM
default_domain = DOMAIN.COM
admin_server = DOMAIN.COM
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for everyone's help.
The sub-domain's A record does indeed also list all the KDCs for the domain so I've used that as the KDC line.
I tried spinning up a recent Ubuntu VM and testing against AD, and the kerberos version within there does work correctly with AD and do the SRV record lookup so maybe it's the version of kerberos or java within the latest SLES builds.
A good workaround though. Thanks again!
Chris
Hi Chris,
The kinit test is not good on a unix system as it relies on a krb5.ini file that we do not need to create for the SSO solution,
that file is only used in a manual AD login scenario. Can you check if KBA 1965433 helps your case?
Regards,
Candy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.