kerberos >> kinit: Cannot contact any KDC for requested realm while getting initial credentials

by celia.clark » Wed, 29 Mar 2006 22:50:22 GMT

Hi,

I am having problems with using kinit, with keytab and username/password.

When issuing the kinit command I get the following error:
kinit: Cannot contact any KDC for requested realm while getting initial
credentials
There is a firewall between the webservers where I issue the command from
and the domain controller.
The webservers are able to connect to the domain controller on port 88 over
UDP.

The webservers are able to resolve themselves and the domain controller,
both forward and reverse lookup.

Do any of you guys out there have an idea of what is going wrong?

Many thanks,

Celia
________________________________________________
Kerberos mailing list XXXX@XXXXX.COM
https://mailman.mit.edu/mailman/listinfo/kerberos


kerberos >> kinit: Cannot contact any KDC for requested realm while getting initial credentials

by jeremyh » Thu, 30 Mar 2006 06:32:55 GMT



You do not say if this is a new or updated webserver, or one that has
just stopped working. I assume the former.

Do the webservers work without the firewall? Can you test this by moving
the webserver the other side of the firewall (where it is not exposed to
the outside world)?

If so, when it is back in place do you have access to the logs of
dropped packet? Generally a firewall administrator can monitor dropped
packets while you do a kinit command.

If not, it is probably a configuration file issue. I suggest you check
that your default realm is defined in the libdefaults section of your
krb5.conf and that there is a matching realm section with a kdc defined,
or that the kdc name as it appears in the krb5.conf is resolvable from
your DNS on the webserver. Otherwise, if you have a previously working
webserver, check that all it's configuration files match those of this
new one.

I hope that helps,

Jeremy

________________________________________________
Kerberos mailing list XXXX@XXXXX.COM
https://mailman.mit.edu/mailman/listinfo/kerberos

Similar Threads

1. Cannot contact any KDC for requested realm while getting initial credentials

Hi all, I'm having a very strange problem below that I
cannot figure out.  Any advice would be great to hear.

First a block showing the problem, then a block showing
that a different machine works perfectly fine (and others
I've tested but not showing here for briefness).

Basically, the master KDC, rcf-kdc1.foo.com, can't seem
to do jack.

============================================================
rcf-kdc1# grep hosts /etc/nsswitch.conf
hosts:      files dns
rcf-kdc1#

rcf-kdc1# cat /etc/krb5.conf
[libdefaults]
     default_realm = RCF.FOO.COM
     forwardable = yes
     ticket_lifetime = 7d

[appdefaults]
     forwardable = yes

[domain_realm]
     .foo.com = RCF.FOO.COM

[realms]
     RCF.FOO.COM = {
         kdc = rcf-kdc1.foo.com
         kdc = rcf-kdc2.foo.com
         kdc = rcf-kdc3.foo.com
         admin_server = rcf-kdc1.foo.com
}

[logging]
         kdc = FILE:/var/adm/krb5kdc.log
         admin_server = FILE:/var/adm/kadmin.log
         default = FILE:/var/adm/krb5lib.log

rcf-kdc1# uname -n
rcf-kdc1.foo.com

rcf-kdc1# nslookup rcf-kdc1.foo.com
Server:         1xx.xx.xx.xxx
Address:        1xx.xx.xx.xxx#53

Name:   rcf-kdc1.foo.com
Address: 1xx.xx.xx.yyy

rcf-kdc1# kinit -p jblaine
kinit(v5): Cannot contact any KDC for realm 'RCF.FOO.COM' while getting
initial credentials

rcf-kdc1# ps -ef | grep krb5kdc
root      6837     1  0 13:21 ?        00:00:00
/var/rcf-kdc1-krb5/sbin/krb5kdc
root     14166  2856  0 16:57 pts/0    00:00:00 grep krb5kdc

rcf-kdc1# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
rcf-kdc1#

============================================================

~:cairo> cat /etc/krb5.conf
[libdefaults]
     default_realm = RCF.FOO.COM
     forwardable = yes
     ticket_lifetime = 7d

[appdefaults]
     forwardable = yes

[domain_realm]
     .foo.com = RCF.FOO.COM

[realms]
     RCF.FOO.COM = {
         kdc = rcf-kdc1.foo.com
         kdc = rcf-kdc2.foo.com
         kdc = rcf-kdc3.foo.com
         admin_server = rcf-kdc1.foo.com
}

[logging]
         kdc = FILE:/var/adm/krb5kdc.log
         admin_server = FILE:/var/adm/kadmin.log
         default = FILE:/var/adm/krb5lib.log

~:cairo> kinit -p jblaine
Password for  XXXX@XXXXX.COM :
~:cairo>

2. Cannot resolve network address for KDC in requested realm while getting initial credentials

3. validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials

I am able to validate (test) keytab files for service1/ XXXX@XXXXX.COM  and service2/ XXXX@XXXXX.COM  using the command "kinit -5 -k -t keytab-file service-principal" from host1.us.foo.com, but when I try to validate a keytab file for service3/ XXXX@XXXXX.COM  from host1.us.foo.com I get the following error:

kinit(v5): Cannot find KDC for requested realm while getting initial credentials

krb5.conf says:

[realms]
    FOO.COM = {
        kdc = ...foo.com:88
        ...
   }

[domain_realm]
    .foo.com = FOO.COM

Is this behavior expected? Do I need to be "on" a host in .au.foo.com to validate a keytab for service3/ XXXX@XXXXX.COM ? Thanks.

Frank


This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.


________________________________________________
Kerberos mailing list            XXXX@XXXXX.COM 
https://mailman.mit.edu/mailman/listinfo/kerberos

4. KDC policy rejects request while getting initial credentials

5. AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

Hi list,

kinit (krb5 1.4.2) on an AIX 5.3 gives me
# /usr/local/bin/kinit -k -t foobar.keytab 
foobar/ XXXX@XXXXX.COM 
kinit(v5): Cannot resolve network address for KDC in requested realm 
while getting initial credentials

 From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf 
and foobar.keytab to AIX 5.3. The following steps don't defer to the 
steps I did under Linux.

# ./configure --without-krb4 --enable-shared
# make && make install

Using gcc 3.3.2.
I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far 
as I see it is fixed in 1.4.2.

My krb5.conf looks like this:
[libdefaults]
         default_realm = EXAMPLE.NET
         clockskew = 300

[realms]
         EXAMPLE.NET = {
                 kdc = foo.example.net:88
                 admin_server = foo.example.net:749
                 default_domain = example.net
                 kpasswd_server = foo.example.net
         }

[domain_realm]
         .example.net = EXAMPLE.NET
         example.net = EXAMPLE.NET

[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log

[appdefaults]
         pam = {
                 ticket_lifetime = 1d
                 renew_lifetime = 1d
                 forwardable = true
                 proxiable = false
                 retain_after_close = false
                 minimum_uid = 0
                 debug = false
         }

Trying to analyze with tcpdump I see that DNS query A, AAAA, AAAA with 
double of my domainname - and then again from the beginning.
A record is answered correctly, AAAA can't (no ipv6).

13:00:09.595177 10.20.30.56.41629 > bar.example.net.domain: [udp sum ok] 
  65423+ A? foo.example.net. (34) (ttl 30, id 30399, len 62)
13:00:09.595729 bar.example.net.domain > 10.20.30.56.41629: [udp sum ok] 
  65423* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net 
ns: example.net. NS bar.example.net., example.net. NS bar2.example.net. 
ar: bar.example.net. A bar.example.net, bar2.example.net. A 
bar2.example.net (128) (ttl 30, id 35101, len 156)
13:00:09.597500 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok] 
  65424+ AAAA? foo.example.net. (34) (ttl 30, id 30400, len 62)
13:00:09.597886 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok] 
  65424* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA 
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87) 
(ttl 30, id 35102, len 115)
13:00:09.597928 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok] 
  65425+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30401, len 70)
13:00:09.598273 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok] 
  65425 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns: 
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600 
259200 86400 (95) (ttl 30, id 35103, len 123)
13:00:09.600003 10.20.30.56.41631 > bar.example.net.domain: [udp sum ok] 
  65426+ A? foo.example.net. (34) (ttl 30, id 30402, len 62)
13:00:09.600473 bar.example.net.domain > 10.20.30.56.41631: [udp sum ok] 
  65426* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net 
ns: example.net. NS bar2.example.net., example.net. NS bar.example.net. 
ar: bar.example.net. A bar.example.net, bar2.example.net. A 
bar2.example.net (128) (ttl 30, id 35104, len 156)
13:00:09.602076 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok] 
  65427+ AAAA? foo.example.net. (34) (ttl 30, id 30403, len 62)
13:00:09.602478 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok] 
  65427* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA 
bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87) 
(ttl 30, id 35105, len 115)
13:00:09.602520 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok] 
  65428+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30404, len 70)
13:00:09.602894 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok] 
  65428 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns: 
example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600 
259200 86400 (95) (ttl 30, id 35106, len 123)

Upto here, Linux contacts my KDC, AIX 5.3 not. "Cannot resolve network 
address for KDC..."

Did I miss something?

cheers,
Christoph

6. kinit(v5): Cannot contact any KDC for requested ...

7. kinit(v5): Cannot contact any KDC for requested......

Hi All,

This is my first email to clug. I hope there's kerberos expert on this
list.
I've been battling with kerberos issues for couple of days.

I've installed latest kerberos on RH advance server according to
documentation.
Everything seems ok but kerberos client apps like kinit are not working.

I could run kadmin.local. All important principals are created as well.

I logged in as root on the same machine where master kdc is running. I've
setup DNS as well but no success.

I noticed one thing: I did not create principal for  XXXX@XXXXX.COM . When
I ran kinit, this is the message I got in krb4kdc.log file:

Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 1
3 2}) 128.1.1.70: CLIENT_NOT_FOUND:  XXXX@XXXXX.COM  for
krbtgt/ XXXX@XXXXX.COM , Client not found in Kerberos database
Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated
(retransmitted?) request from 128.1.1.70, resending previous response

When I created this principal, krb5kdc dies silently (no message in log).
It seems like kinit is communicating with kdc but somehow krb5kdc process
crashes.

when I run kinit. kinit complains with this error:
kinit(v5): Cannot contact any KDC for requested realm while getting initial
credentials

Here's my krb5.conf file:
[root@kerberos krb5kdc]# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = RTDLINUX.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 RTDLINUX.COM = {
  kdc = kerberos.rtdlinux.com:88
  admin_server = kerberos.rtdlinux.com:749
  default_domain = rtdlinux.com
 }

[domain_realm]
 .rtdlinux.com = RTDLINUX.COM
 rtdlinux.com = RTDLINUX.COM


[kdc]
 profile = /usr/local/var/krb5kdc/kdc.conf

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

Here's kdc.conf file contents:
[root@kerberos krb5kdc]# more /usr/local/var/krb5kdc/kdc.conf
[kdcdefaults]
        kdc_ports = 88,750

[realms]
        RTDLINUX.COM = {
                database_name = /usr/local/var/krb5kdc/principal
                admin_keytab = /etc/krb5.keytab
                acl_file = /usr/local/var/krb5kdc/kadm5.acl
                key_stash_file = /usr/local/var/krb5kdc/.k5.RTDLINUX.COM
                kadmin_port = 749
                kdc_ports = 88,750
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des3-hmac-sha1
                supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal
        }

These are the principals:
K/ XXXX@XXXXX.COM 
kadmin/ XXXX@XXXXX.COM 
kadmin/ XXXX@XXXXX.COM 
kadmin/ XXXX@XXXXX.COM 
krbtgt/ XXXX@XXXXX.COM 
muzaffar/ XXXX@XXXXX.COM 
 XXXX@XXXXX.COM 

Please help me if anybody has any clue.

Thanks in advance.
_________________________________________________________
Muzaffar Sultan--Telvent
 XXXX@XXXXX.COM 
Ph: (403)-301-5020







________________________________________________
Kerberos mailing list            XXXX@XXXXX.COM 
https://mailman.mit.edu/mailman/listinfo/kerberos

8. Cannot contact any KDC for requested realm (error 156)