Hi, I've been trying to get my FreeIPA client to get a ticket from my KDC using MS-KKDC, but failed until today. The final hint I got was from an "strace kinit" run: stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/tls/k5tls.so", 0x7fffdd894dc0) = -1 ENOENT (No such file or directory) I found the (Debian/Ubunt) package krb5-k5tls, installed it and it worked! It would have been nice to have a hint about the needed package at http://www.infradead.org/ocserv/recipes-ocserv-kerberos.html or in the ocserv.conf file: # You can have the same path used for multiple realms. To authenticate # in client side, in MIT kerberos you'll need to add in krb5.conf: # EXAMPLE.COM = { # kdc = https://ocserv.example.com/KdcProxy # http_anchors = FILE:/etc/ocserv-ca.pem # } + # You'll need the package krb5-k5tls installed at the client Even more useful would be a better message from kinit, but that seems to be quite hard. And a cross check on a Fedora system has that file installed with the krb5-libs packages - no further packages needed. Do you think it would be possible to add a hint for further Debian/Ubuntu users? Jochen -- The only problem with troubleshooting is that the trouble shoots back.