Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials

29,242 views
Skip to first unread message

Thomas Schweikle

unread,
Jan 25, 2011, 11:54:16 AM1/25/11
to
Hi!

I have set up a kerberos server srv.example.com. This server has
address 192.168.180.30. Address resolution works fine on the server
and client:

srv.example.com:
# host srv
srv.example.com has address 192.168.180.30
# host 192.168.180.30
30.180.168.192.in-addr.arpa domain name pointer srv.example.com.
# host client
client.example.com has address 192.168.180.6
# host 192.168.180.6
6.180.168.192.in-addr.arpa domain name pointer client.example.com
#

client.example.com:
# host srv
srv.example.com has address 192.168.180.30
# host 192.168.180.30
30.180.168.192.in-addr.arpa domain name pointer srv.example.com.
# host client
client.example.com has address 192.168.180.6
# host 192.168.180.6
6.180.168.192.in-addr.arpa domain name pointer client.example.com
#

Now from the server:
# kinit user
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials

and from the client:
# kinit user
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials

I am a bit lost what's going on here. In /etc/krb5.conf I have:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = true

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
EXAMPLE.COM = {
kdc = srv.example.com
admin_server = srv.example.com
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
default = FILE:/var/log/kerberos/krb5lib.log

The dns-server returns for srv-queries:
# host -t srv _kerberos._tcp.example.com
_kerberos._tcp.example.com has SRV record 0 5 88 srv.example.com.

I'm a bit lost now. Turning dns_lookup_kdc on/off doesn't help.
kinit just keeps telling me It could not contact any kdc for this
realm (EXAMPLE.COM).

Any ideas?

--
Thomas

Brian Candler

unread,
Jan 25, 2011, 5:06:00 PM1/25/11
to Thomas Schweikle, kerb...@mit.edu
On Tue, Jan 25, 2011 at 05:54:16PM +0100, Thomas Schweikle wrote:
> kinit just keeps telling me It could not contact any kdc for this
> realm (EXAMPLE.COM).
>
> Any ideas?

Is your KDC running? Is your KDC firewalled off?

Try running tcpdump udp port 88 on both client and server, then kinit.

Regards,

Brian.

Thomas Schweikle

unread,
Jan 26, 2011, 4:17:13 PM1/26/11
to

kdc was running, no firewall settings, tcpdump on port 88 on client
and server gave communication between both.

At last I decided to reboot the server. After that it worked again :(

Looks a loot like Ubuntu is more and more some sort of Windows ;)


--
Thomas

Done

unread,
Jun 24, 2013, 3:57:01 AM6/24/13
to kerb...@mit.edu
How can I know if the KDC is running and if the KDC firewalled is off ?



--
View this message in context: http://kerberos.996246.n3.nabble.com/kinit-Cannot-contact-any-KDC-for-realm-EXAMPLE-COM-while-getting-initial-credentials-tp19145p37678.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

Done

unread,
Jul 9, 2013, 10:03:50 PM7/9/13
to kerb...@mit.edu
It's nothing about the firewalled. I tried the samba 2:3.5.6 and samba
2:3.6.6-2.
All kinds of small tips should notice. Good luck to all.



--
View this message in context: http://kerberos.996246.n3.nabble.com/kinit-Cannot-contact-any-KDC-for-realm-EXAMPLE-COM-while-getting-initial-credentials-tp19145p37771.html
0 new messages