Latest revision as of 08:56, 9 May 2013

Description

Work has been done to make krb5 configurationless, and unbreak the default /etc/krb5.conf that was distributed with Fedora 17 and earlier.

Setup

Perform prerequisite setup before you run this test.

Move /etc/krb5.conf away if it exists:

$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak

How to test

Do a kinit against your Active Directory domain. Yes it's vital that you use the fully capitalized form of the domain name.
```
$ kinit Administrator@AD.EXAMPLE.COM
```
You should be prompted for a password, and no error message should be printed.
Now place the default krb5.conf into place. This is the default config distributed with krb5-libs.
```
$ sudo yum reinstall krb5-libs
```
Check that /etc/krb5.conf now exists.
Do a kinit again.
```
$ kinit Administrator@AD.EXAMPLE.COM
```

Expected Results

The kinit commands should complete successfully

Look at the ticket that kinit retrieved. It should look something like:

$ klist -e
Ticket cache: DIR::/run/user/1000/krb5cc_...
Default principal: Administrator@AD.EXAMPLE.COM

Valid starting     Expires            Service principal
10/15/12 00:52:34  10/15/12 10:52:34  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        renew until 10/16/12 00:52:39, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Troubleshooting

Make sure that you capitalize the domain name.
If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
You may get a prompt to change your password if your kerberos account password has expired, this is normal.

You can move the krb5.conf file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default.

If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[1]]

@@ Line 2: / Line 2: @@
 |description=Work has been done to make <code>krb5</code> configurationless, and unbreak the default <code>/etc/krb5.conf</code> that was distributed with Fedora 17 and earlier.
 |setup=
-# [[Features/ActiveDirectory/TestBed|Verify that your Active Directory domain access works]]. If you don't have an Active Directory domain, you can [[Features/ActiveDirectory/TestBed|set one up]].
+# Perform [[QA:Testcase_kerberos_setup|prerequisite setup]] before you run this test.
 # Move <code>/etc/krb5.conf</code> away if it exists:
 #: <pre>$ sudo mv /etc/krb5.conf /etc/krb5.conf.bak</pre>
@@ Line 9: / Line 9: @@
 #: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre>
 #: You should be prompted for a password, and no error message should be printed.
-# Now place the <code>/etc/krb5.conf</code> attached to this ticket into place. This is the default config.
+# Now place the default krb5.conf into place. This is the default config distributed with <code>krb5-libs</code>.
-#: <pre>$ sudo vi /etc/krb5.conf</pre>
+#: <pre>$ sudo yum reinstall krb5-libs</pre>
+#: Check that <code>/etc/krb5.conf</code> now exists.
 # Do a <code>kinit</code> again.
 #: <pre>$ kinit Administrator@AD.EXAMPLE.COM</pre>
@@ Line 28: / Line 29: @@
 }}
-[[Category:Active_Directory_Test_Cases]]
+== Troubleshooting ==
+* Make sure that you capitalize the domain name.
+* If the above fails with 'Preauthentication failed' then you probably typed the wrong password.
+* You may get a prompt to change your password if your kerberos account password has expired, this is normal.
+* You can move the <code>krb5.conf</code> file back into place if you want. But if it's an excessively broken krb5.conf file, you may want to replace it with the default.
+* If you see "kinit: Credential cache directory /run/user/1000/krb5cc does not exist while getting default ccache ", you hit the bug [[https://bugzilla.redhat.com/show_bug.cgi?id=961235]]
+[[Category:Active_Directory_Test_Cases]] [[Category:Kerberos_Test_Cases]]

Search

QA:Testcase kerberos without krb5 conf: Difference between revisions