Kerberos configuration file

[domain_realm]
   .pdc.kth.se = NADA.KTH.SE
[appdefaults]
   forwardable = yes
   forward = yes
   krb4_get_tickets = no
[libdefaults]
   default_realm = NADA.KTH.SE
   dns_lookup_realm = true
   dns_lookup_kdc = true
   allow_weak_crypto = true

If you can't edit /etc/krb5.conf you can for instance put this file in ~/pdckrb and then make your environment use this config file by issuing:

setenv KRB5_CONFIG  ~/pdckrb/krb5.conf        # for tcsh (linux)

export KRB5_CONFIG=~/pdckrb/krb5.conf         # for bash (linux)

C:\Heimdal>set KRB5_CONFIG=/Heimdal/krb5.conf # for Windows

If you are experiencing problems with your Kerberos tickets take a look at these instructions on how to access PDC when you are behind a NAT/firewall.

Some typical error messages you might get are

•  kinit: krb5_get_init_creds: Incorrect net address

  This is most likely caused by a NAT firewall (such as a wideband router used for most home connections).
  
  Remedy: Go to Kerberos and Firewalls and try the --no-addresses option to kinit or --extra-addresses=xyz.xyz.xyz.xyz with xyz replaced by the IP number of your external NAT interface. This page should give you the address of the external NAT interface in most (but not all) cases.
  
  

• Kerberos V5: mk_req failed (Server not found in Kerberos database)

  This is most often caused by a malfunctioning name server (such as the ones provided by some home consumer ISPs)
  
  Remedy: You will need to add a file krb5.conf which contains a section [domain_realm] with the correct Kerberos realm information and you will need to use an environment variable to tell Heimdal the name of your config file is (if it is not /etc/krb5.conf). Add this content in the krb5.conf file:

              [domain_realm]
                .nada.kth.se = NADA.KTH.SE
                .pdc.kth.se = NADA.KTH.SE

• kinit: krb5_get_init_creds: unable to reach any KDC in realm NADA.KTH.SE

      If you get this error message you are most probably behind a firewall that blocks communication with our Kerberos servers.

      Remedy: Go to Kerberos and Firewalls .

• Time is out of bounds

  If this happens you probably have time synchronization problem:

  ./kinit
  user@NADA.KTH.SE's Password:
  kinit: Time is out of bounds (krb_rd_req)

  This problem is caused by lack of synchronization between the system you create your Kerberos ticket on and the one you try to login on using that Kerberos ticket. Kerberos demands a maximum of 5 minutes time difference between the system clocks.
  Remedy: Help on synchronizing your system clock can be found here.

• kinit/tcp unknown service, using default port 2120

  This is not an error message and has no impact on the functionality of Kerberos under normal circumstances. The message informs the user that the kauth/tcp system service is not registered in the client machine as a known service with an assigned port number. The kauth client program therefore selects the default "standard" connection port 2120 when talking to the PDC Kerberos server. This is the wanted behavior.

  On most systems the information where the service to port look up table is located is the file /etc/services. Note that other Kerberos client programs (kx, telnet, rsh) may produce similar messages, but may use other port numbers than 2120 as the correct default.Client's entry in database has expired

• Client's entry in database has expired

  This message indicates that your Kerberos principal has expired. This happens automatically every other year and means that you can not get any Kerberos tickets and therefore you can not login at PDC.
  Remedy: Write an e-mail asking PDC support to extend your Kerberos principal. When this has been done you can continue to login again using the same password as you did before.