[Freeipa-users] dns problems with kerberos
Simo Sorce
ssorce at redhat.com
Mon Sep 15 13:25:16 UTC 2008
On Mon, 2008-09-15 at 15:44 +0300, Ivan Levchenko wrote:
> Hi All,
>
> I installed IPA ok, no errors, i can even authenticate to it from a
> remote host using the admin user.
> I created a new users via the web panel, and as soon as I log in, it
> says that the pass is expired and that i need to change it, as soon as
> it gets the confirmation pass, i get an error:
>
> $ kinit ivan
> Password for ivan at MYDOMAIN.COM:
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> kinit(v5): Cannot contact any KDC for requested realm while getting
> initial credentials
>
> as i understand it, its a dns problem...
>
> I added the needed info to my domains zone file like so:
>
> ;IPA
> master IN A 192.168.0.112
>
> _ldap._tcp IN SRV 0 100 389 master
>
> ;kerberos realm
> _kerberos IN TXT MYDOMAIN.COM
>
> ; kerberos servers
> _kerberos IN SRV 0 100 88 master
> _kerberos IN SRV 0 100 88 master
> _kerberos-master IN SRV 0 100 88 master
> _kerberos-master IN SRV 0 100 88 master
> _kpasswd._tcp IN SRV 0 100 464 master
> _kpasswd._udp IN SRV 0 100 464 master
>
> ;ntp server
> _ntp._udp IN SRV 0 100 123 ntp-server
>
> using dig, i can verify that all of this works just fine.. is there
> anything that I missing?
> I'm very new to ipa, kerberos, ldap.. but I REALLY want to get a
> single signon and single user/pass environment working...
What IPA version? If installed using an rpm can you tell exactly the rpm
version as printed by rpm -qi ipa-server ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list