cancel
Showing results for 
Search instead for 
Did you mean: 

Having trouble in kinit command

Former Member
0 Kudos

Hi,

I'm implementing AD Authentication in our BO XI3.1 environment. I have done the below steps to test the kerberos.

1. Created krb5.ini file and located it in C:\Windows folder.

krb5.ini

[libdefaults]

default_realm = DOMAIN.NET

dns_lookup_kdc = true

dns_lookup_realm = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

udp_preference_limit = 1

[domain_realm]

.domain.net = DOMAIN.NET

domain.net = DOMAIN.NET

[realms]

DOMAIN.NET {

kdc = Host1.domain.net

kdc = Host2.domain.net

default_domain = DOMAIN.NET

}

2. I have changed the tomcat option in Start -> Tomcat -> Tomcat Configuration -> Java tab

Djava.security.krbr5.conf=C:\Windows\krb5.ini.

When i tried to execute kinit command ,I was getting a error 'Could not load configuration file c:\winnit\krb5.ini'. I wondered why Java is searching krb5.ini file in c:\winit folder, when winnt folder is not at all exist and also i have clearly specified path at Tomcat Java option.

Then i created a folder 'winnt' at C:\ drive and placed the krb5.ini folder in it. Then tried to execute the kinit command and getting error 'cannot get kdc for realm DOMAIN.NET'

Please help to resolve this issue.

My Queries:

1. Should i do anything at Domain Controller(AD Server) to resolve the issue.

2. From which path the kinit should be run as i have kinit executable in more than folder in the Javasdk folder. One in Javasdk\bin\kinit and also in javasdk\jre\bin\kinit and another one in javasdk\jre6\bin\kinit.

3. Is that fine to use any slash '\' or '/' in tomcat java option to specify the path of krb5.ini and bscLogin.conf files?

Kindly help to get out of this issue, as i was getting it for longer time.

Also i have checked for the spaqcing in the krb5.ini file and firewall issues. Everything is correct. still getting the error

Accepted Solutions (0)

Answers (1)

Answers (1)

satishsoni
Participant
0 Kudos

Hi Deepika,

Cannot get the kdc for realm                         

: Check the [libdefaults] and [realms] section of krb5.ini for typos and spaces. If the APP server and the Service account are in different domains, then check whether the BOE server can ping both the servers on port 88.

In you case I could see .domain.net = DOMAIN.NET 

. (dot) in from of this line.

Please see SAP Note: 1794675

Regards,

Satish

Former Member
0 Kudos

Hi Satish,

Thanks for your reply. I have checked for typos in libdefaults and realms section. Everything is fine. My App server and Service Account are in same domain.

What do you mean by the below statement?

In you case I could see .domain.net = DOMAIN.NET 

. (dot) in from of this line.

I have zeroed in the issue. I'm getting error because the kinit is not taking up the path mentioned in tomcat Java option. I did the following and noted down the error messages.

1. I removed my krb5.ini and bscLogin.conf files from C:\Windows folder and also removed the -Djava commands in tomcat Java tab. I ran Kinit and got the error message 'Could not load configuration file c:\winnt\krb5.ini'

2. I created krb5.ini and bscLogin files and put these files in C:\Windows folder. I added the -Djava option in Tomcat Configuration and restarted it. I got the same error for kinit command ''Could not load configuration file c:\winnt\krb5.ini''.

The thing is Kinit is not at all taking up the Java option mentioned in Tomcat. By default it is throwing up the same error whether i placed the krb5.ini file and added -Daja option and removed the krb5.ini and removed -Djava option

The Java option i placed at Tomcat Configuration is

-Djava.security.auth.login.config=C:/Windows/bscLogin.conf

-Djava.security.krb5.conf=C:/Windows/krb5.ini

Please confirm if the '/' is correct, as we have '\' to specify the path in Windows but in all the Java option i could see '/'.

3. I created a folder 'winnt' in C:\ drive and placed the krb5.ini and bscLogin files there and set the Java option accordingly. I got the error 'cannot get kdc for realm '. I got this error even if i didn't mention the path C:\winnt\krb5.ini, at tomcat. So this means by default it is taking that path.

Please help to resolve this error.

satishsoni
Participant
0 Kudos

Hi Deepika,

If you have copied the contents of krb5.ini file here then the below line has typo error in it.

which is . (dot) in front of the following line:

.domain.net = DOMAIN.NET

Please see your first post or see the contents in your krb5.ini file and correct it.

Yes, by default it takes the C:\Winint folder for krb5.ini and this is the best practice to keep these files here..

and you need to use backward slash : "\ "

for eg:

-Djava.security.auth.login.config=c:\winnt\bsclogin.conf

-Djava.security.krb5.conf=c:\winnt\krb5.ini

Regards,

Satish

0 Kudos

Hi,

per default the kinit command checks in "C:\WINNT\" for the krb5.ini file. I`m not aware of any paramter so that kinit looks in another location for the file. For running tests with kinit just copy the File to the above location. For your Tomcat configuration you can deploy them where you want and point the tomcat to it.

With regards to your Error, can you ping the KDC by IP- Adress and Name from the BO Server?

Regards

-Seb.

Former Member
0 Kudos

Hi Satish,

I have removed dot in the krb5.ini file. Created winnt folder and placed the files at this location.

Now getting 'cannot get kdc for realm DOMAIN.NET' error. I have done amistake in my krb5.ini file. ie, i missed '=' at realm section DOMAIN.NET = {.....}

I corrected the error and expected not to get the error, but i'm still getting the error.

I have checked for spaces and case of the letters. Nothing is working.

Please tell me if i'm missing anything else.

Regards,

Deepika Palani

Former Member
0 Kudos

Hi Sebastian,

Thanks for your reply. I have created C:\winnt folder and placed the files. Still getting the error 'cannot get kdc for the realm'.

yes, i have tried to ping the domain controller by the command '>ping hostname' and i'm able to ping it without any issue.

satishsoni
Participant
0 Kudos

Hi Deepkika,

Can you paste your Krb5.ini file contents here.

Regards,

Satish

former_member189884
Contributor
0 Kudos

make sure all of the domain and hostnames are ALL in capital letters.

this section is probably not needed, you should try it without also.

[domain_realm]

.domain.net = DOMAIN.NET

domain.net = DOMAIN.NET

Former Member
0 Kudos

Hi Satish,

Now the error 'cannot get kdc for realm' has been resolved. The mistake i did in krb5.ini file was i put KDC instead of kdc. It is working when i change uppercase into lowercase.

My exact krb5.ini content is

libdefaults]

                default_realm = DOMAIN.NET

                dns_lookup_kdc = true

                dns_lookup_realm = true

                default_tkt_enctypes = rc4-hmac

                default_tgs_enctypes = rc4-hmac

                udp_preference_limit = 1

[realms]

DOMAIN.NET  =  {

                kdc = HOST.DOMAIN.NET

                default_domain = DOMAIN.NET

}

But now i'm getting teh error 'KDC has no support for encryption type'. I have mentioned rc4-hmac in the file.

Regards,

Deepika Palani

Former Member
0 Kudos

Hi Josh,

I have corrected the names for all caps. Now getting 'kdc has no support for encryption type'.

My krb5.ini is

libdefaults]

                default_realm = DOMAIN.NET

                dns_lookup_kdc = true

                dns_lookup_realm = true

                default_tkt_enctypes = rc4-hmac

                default_tgs_enctypes = rc4-hmac

                udp_preference_limit = 1

[realms]

DOMAIN.NET  =  {

                kdc = HOST.DOMAIN.NET

                default_domain = DOMAIN.NET

}

I have tried with including 'allow_weak_crypto = true', but no luck. Getting same error.

One option i have got is changing the Properties of Service Account by enabling 'Use DES Encryption' option. But i want to know, will this change be an issue in future? Do i need to check this option for all the users in AD?

0 Kudos

Hi,

yes - you can try this. But afterwards you should also change the following parameter:

default_tkt_enctypes = des-cbc-crc

default_tgs_enctypes = des-cbc-crc

Regards

-Seb.

Former Member
0 Kudos

Finally kinit is working.

Issue is, in the KDC for the Service Account the 'Use DES encryption' option was checked, which prevents Kerberos from using the default rc4-hmac. I have unchecked the option at my Service Account and tried with rc4-hmac in my krb5.ini and it worked well.

Thanks for all your replies.

former_member189884
Contributor
0 Kudos

Do not use DES on the service account, If the DC you are connecting to is a 2008 DC then DES is not supported by default, and in fact has to be enabled. RC4 is more secure than DES.

Former Member
0 Kudos

Hello,

For today's reader, in 2016, don't use RC4 as Kerberos encryption algorithm !

See:

Kerberos(SSO): throw RC4 away, adopt AES !

Regards,

Stéphane;