MS-KKDCP - client configuration

Jochen Hein jochen at
Tue Jul 12 12:15:48 PDT 2016


I've been trying to get my FreeIPA client to get a ticket from my KDC
using MS-KKDC, but failed until today. The final hint I got was from an
"strace kinit" run:

stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/tls/", 0x7fffdd894dc0) = -1 ENOENT (No such file or directory)

I found the (Debian/Ubunt) package krb5-k5tls, installed it and it

It would have been nice to have a hint about the needed package at
or in the ocserv.conf file:

           # You can have the same path used for multiple realms. To authenticate
           # in client side, in MIT kerberos you'll need to add in krb5.conf:
           #   EXAMPLE.COM = {
           #     kdc =
           #     http_anchors = FILE:/etc/ocserv-ca.pem
           #   }
+          # You'll need the package krb5-k5tls installed at the client

Even more useful would be a better message from kinit, but that seems to
be quite hard.  And a cross check on a Fedora system has that file
installed with the krb5-libs packages - no further packages needed.

Do you think it would be possible to add a hint for further
Debian/Ubuntu users?


The only problem with troubleshooting is that the trouble shoots back.

More information about the openconnect-devel mailing list