Results 1 to 2 of 2

Thread: Kerberos foreign principal issue

Hybrid View

  1. #1
    Join Date
    Jan 2010
    Rep Power

    Default Kerberos foreign principal issue

    I am trying to set up kerberos auth for a 6.0.4 FOSS install with these instructions. At first I was trying to point to our main University KDC, but kept seeing errors that ended with "Cannot get kdc for realm". The principal mapping is setup and according to the same log message is passing the correct principal on, but zimbra can't seem to get to the KDC. I am able to kinit and get a ticket.

    The krb5.conf file that is provided to us relies entirely on DNS lookups, so assuming there may be some hokey DNS SRV records causing me issue here, I tried different DNS servers in the resolv.conf, and fiddled with the zimbraAuthKerberos5Realm setting, but no change in behavior.

    We have a krb5 server in our department and we do not use DNS SRV records, so I swapped out my krb5.conf, and changed the zimbraAuthKerberos5Realm to our local realm. Again, I can get a ticket with kinit, but I get the same error about "Cannot get kdc for realm".

    I have tried putting my krb5.conf and krb5.keytab files in /etc and in /opt/zimbra/conf, but it doesn't seem to help.

    So I have two questions: How is the initial contact with the KDC initiated that I would be seeing an error that has more to do with connectivity than the auth mechanism? How do I display the current values for an attribute? For example, if I run zmprov md myserver zimbraAuthKerberos5Realm MYREALM, how do I verify what the zimbraAuthKerberos5Realm is set to?


  2. #2
    Join Date
    Jan 2010
    Rep Power


    So I got this working. Apparently the krb5.conf information is pulled into zimbra upon startup, because it does not recognize changes to the krb5 configs unless I restart zimbra.

    Even still, when the krb5.conf is set to find kdc's via DNS, zimbra cannot find the kdc. When I tracked down the IP's of the KDC's and put them in the krb5.conf file, zimbra was able to auth from the KDC. Based on a quick search this is a limitation of how java does kerberos, it expects that everyone specifies a kdc in the krb5.conf.

    Before I mark this as solved, can anyone tell me if there is a specific service I can restart to have the krb5 settings refreshed without restarting the entire zimbra stack?


Similar Threads

  1. ZCO sync issue
    By btsang in forum Zimbra Connector for Outlook
    Replies: 10
    Last Post: 09-22-2009, 11:19 AM
  2. Local mail issue or setup issue?
    By FlyingFish in forum Administrators
    Replies: 0
    Last Post: 09-22-2009, 09:04 AM
  3. Zimbra desktop and AVG Free 8.0 Issue
    By mannix77 in forum General Questions
    Replies: 6
    Last Post: 09-25-2008, 12:34 PM
  4. Intermittent issue (issue# 5852) ?
    By nick20 in forum Installation
    Replies: 1
    Last Post: 02-08-2006, 01:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts