Nagios Authentication with Active Directory (Slightly Off-Topic)

Dimitri Yioulos dyioulos at firstbhph.com
Fri Jan 7 20:44:35 CET 2005
Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: Plugin to check that process is running?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Shawn,

First, output of dig _kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM srv

; <<>> DiG 9.2.4rc6 <<>> _kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM srv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13282
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_kerberos.tcp.HEADQUARTERS.FIRSTBHPH.COM. IN SRV

;; AUTHORITY SECTION:
firstbhph.com.          3600    IN      SOA
rockland.headquarters.firstbhph.com. hostmaster.headquarters.firstbhph.com.
391 900 600 86400 3600


and dig _kerberos.udp.HEADQUARTERS.FIRSTBHPH.COM srv

; <<>> DiG 9.2.4rc6 <<>> _kerberos.udp.HEADQUARTERS.FIRSTBHPH.COM srv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43578
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_kerberos.udp.HEADQUARTERS.FIRSTBHPH.COM. IN SRV

;; AUTHORITY SECTION:
firstbhph.com.          3600    IN      SOA
rockland.headquarters.firstbhph.com. hostmaster.headquarters.firstbhph.com.
391 900 600 86400 3600

;; Query time: 6 msec
;; SERVER: 192.168.100.3#53(192.168.100.3)
;; WHEN: Fri Jan  7 14:33:40 2005
;; MSG SIZE  rcvd: 140
;; Query time: 2 msec
;; SERVER: 192.168.100.3#53(192.168.100.3)
;; WHEN: Fri Jan  7 14:31:41 2005
;; MSG SIZE  rcvd: 140

Doesn't look like yours.

Additional info.:

OS:  CentOS 3.3
Kerberos:  krb5-server-1.2.7-28, krb5-workstation-1.2.7-28, krbafs-1.1.1-11
(all from rpm)
Samba:  samba-3.0.7-1.3E.1      security=ads     (as I mentioned previously,
samba works, and this server has joined the domain successfully)
DNS:   I'm using the Win2k box for DNS.


-----Original Message-----
From: Shawn Iverson [mailto:shawn at nccsc.k12.in.us] 
Sent: Friday, January 07, 2005 1:54 PM
To: Dimitri Yioulos
Cc: nagios-users at lists.sourceforge.net
Subject: RE: [Nagios-users] Nagios Authentication with Active Directory
(Slightly Off-Topic)

There's some info from comp.prototcols.kerberos (google groups, see below)

It sounds like you need to do the following to check your DNS kerberos
configuration:

dig _kerberos._udp.REALMNAMEFQDN srv
dig _kerberos._tcp.REALMNAMEFQDN srv

It sounds like error 52 should only ever occur when the srv resource records
for kerberos on your DNS server are set to allow only UDP authentication.  I
presume that when you execute the latter command you might get an unexpected
response.  If so, you need to fix your srv resource records on your DNS
server to allow TCP.

BTW, are you using DNS from your Windows 2003 Servers or from another
source?  Make sure you have only one kinit on your system.  If none of this
is helpful, send me details about your version of kerberos that you are
using, your OS, whether you installed it as a package or as source, etc.

Here is my DNS answer section for both (specifics removed):

;; QUESTION SECTION:
;_kerberos._tcp.MYREALM.	IN	SRV

;; ANSWER SECTION:
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.

;; ADDITIONAL SECTION:
XXXXXX.myrealm. 3600	IN	A	x.x.x.x
XXXXXX.myrealm.	3600	IN	A	x.x.x.x

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Fri Jan  7 13:34:47 2005
;; MSG SIZE  rcvd: 504


; <<>> DiG 9.2.4 <<>> _kerberos._udp.MYREALM srv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;_kerberos._udp.myrealm.	IN	SRV

;; ANSWER SECTION:
_kerberos._udp.MYREALM.	600 IN	SRV	0 100 88 xxxxxxx.nccsc.k12.in.us.
_kerberos._udp.MYREALM.	600 IN	SRV	0 100 88 xxxxxxx.nccsc.k12.in.us.

Etc...

On Jun 10 2003, 5:02 pm Ken Raeburn on comp.protocols.kerberos wrote:
>
>
>Uli Schröder <uli.schroe... at gmx.net> writes:
>
>
>

<snip>


>> Nevertheless if I do a kinit for my my normal account it fails with
>> error code 52. No change between krb5-1.2.7 and krb5-1.3.
>
>
>Is it saying "KRB5 error code 52" exactly? That shouldn't be in the
>source code for the 1.3 snapshot. The error message is now "Response
>too big for UDP, retry with TCP", and shouldn't be displayed unless
>the server sends that error code over a TCP connection, or the client
>library thinks that TCP service isn't available for some reason, which
>should only happen if you have DNS SRV records that indicate only UDP
>service is available (try "dig _kerberos._udp.REALMNAME srv", and try
>with _tcp instead of _udp) and the config files don't list the KDCs at
>all.

On Jun 11 2003, 9:29 am Uli Schröder wrote on comp.protocols.kerberos: 

>"Ken Raeburn" <raeb... at mit.edu> schrieb im Newsbeitrag
>news:tx1of15se7f.fsf at mit.edu...
>
>> ... 
>> > Nevertheless if I do a kinit for my my normal account it fails with
>> > error code 52. No change between krb5-1.2.7 and krb5-1.3.
>
>> Is it saying "KRB5 error code 52" exactly? That shouldn't be in the
>> source code for the 1.3 snapshot. The error message is now "Response
>> too big for UDP, retry with TCP", and shouldn't be displayed unless
>> the server sends that error code over a TCP connection, or the client
>> library thinks that TCP service isn't available for some reason, which
>> should only happen if you have DNS SRV records that indicate only UDP
>> service is available (try "dig _kerberos._udp.REALMNAME srv", and try
>> with _tcp instead of _udp) and the config files don't list the KDCs at
>> all.
>
>
>
>I had another kinit in the my path. I wasn't aware of that. I thought I
>had deleted all the old stuff. Now the new kinit workes great. I can use
>kinit with my own account. No more error 52! :)
>

Shawn Iverson

On Friday, January 07, 2005 11:26 AM Dimitri wrote:

>kinit user at YOUR.DOMAIN.ORG returns:
>
>kinit(v5): KRB5 error code 52 while getting initial credentials
>
>Does this error have to do with Windows kerberos ?
>
>Sorry, I know this isn't a kerberos-related mailing list, but 
>if you could tell me what I'm doing wrong, it would be greatly 
>appreciated.  Googling doesn't produce anything useful.
>
>Dimitri
>
>



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: Plugin to check that process is running?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list