Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
"Cannot contact any KDC for requested realm" when using ldapsearch
1,128 views
Skip to first unread message
Braden McDaniel
Feb 27, 2012, 12:38:32 AM2/27/12
to kerb...@mit.edu
I'm trying to configure Kerberos authentication with OpenLDAP. kinit
appears to work fine. However, I get this when using ldapsearch:
$ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)
krb5kdc.log has entries like this in it:
Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/ad...@ENDOFRAME.NET for kadmin/rail.endo...@ENDOFRAME.NET, Server not found in Kerberos database
Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/ad...@ENDOFRAME.NET for kadmin/ad...@ENDOFRAME.NET
Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, bra...@ENDOFRAME.NET for krbtgt/ENDOFR...@ENDOFRAME.NET
Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, bra...@ENDOFRAME.NET for krbtgt/ENDOFR...@ENDOFRAME.NET
Obviously, the first one there looks rather suspicious. But even after
adding (and ktadd'ing) that principal:
kadmin: listprincs
K/M...@ENDOFRAME.NET
braden/ad...@ENDOFRAME.NET
bra...@ENDOFRAME.NET
host/rail.endo...@ENDOFRAME.NET
kadmin/ad...@ENDOFRAME.NET
kadmin/chan...@ENDOFRAME.NET
kadmin/his...@ENDOFRAME.NET
kadmin/loca...@ENDOFRAME.NET
kadmin/rail.endo...@ENDOFRAME.NET
krbtgt/ENDOFR...@ENDOFRAME.NET
ldap/ldap.endo...@ENDOFRAME.NET
root/ad...@ENDOFRAME.NET
… I still get the above entry in the log file.
My krb5.conf looks like this:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ENDOFRAME.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ENDOFRAME.NET = {
admin_server = kerberos.endoframe.net
kdc = kerberos.endoframe.net
master_kdc = kerberos
default_domain = endoframe.net
}
[domain_realm]
.endoframe.net = ENDOFRAME.NET
endoframe.net = ENDOFRAME.NET
"rail" is the name of the machine; "kerberos" and "ldap" are aliases for
it. These names appear to be resolving correctly:
[root@rail braden]# ping rail.endoframe.net
PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.153 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.084 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.085 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.085 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.084 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=6 ttl=64 time=0.085 ms
^C
--- rail.endoframe.net ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.084/0.096/0.153/0.025 ms
[root@rail braden]# ping kerberos.endoframe.net
PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.126 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.085 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.086 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.113 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.086 ms
^C
--- rail.endoframe.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.085/0.099/0.126/0.018 ms
[root@rail braden]# ping ldap.endoframe.net
PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.123 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.083 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.081 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.119 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.085 ms
^C
--- rail.endoframe.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.081/0.098/0.123/0.019 ms
So, where should I be looking to resolve this issue?
--
Braden McDaniel <bra...@endoframe.com>
appears to work fine. However, I get this when using ldapsearch:
$ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)
krb5kdc.log has entries like this in it:
Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/ad...@ENDOFRAME.NET for kadmin/rail.endo...@ENDOFRAME.NET, Server not found in Kerberos database
Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/ad...@ENDOFRAME.NET for kadmin/ad...@ENDOFRAME.NET
Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, bra...@ENDOFRAME.NET for krbtgt/ENDOFR...@ENDOFRAME.NET
Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, bra...@ENDOFRAME.NET for krbtgt/ENDOFR...@ENDOFRAME.NET
Obviously, the first one there looks rather suspicious. But even after
adding (and ktadd'ing) that principal:
kadmin: listprincs
K/M...@ENDOFRAME.NET
braden/ad...@ENDOFRAME.NET
bra...@ENDOFRAME.NET
host/rail.endo...@ENDOFRAME.NET
kadmin/ad...@ENDOFRAME.NET
kadmin/chan...@ENDOFRAME.NET
kadmin/his...@ENDOFRAME.NET
kadmin/loca...@ENDOFRAME.NET
kadmin/rail.endo...@ENDOFRAME.NET
krbtgt/ENDOFR...@ENDOFRAME.NET
ldap/ldap.endo...@ENDOFRAME.NET
root/ad...@ENDOFRAME.NET
… I still get the above entry in the log file.
My krb5.conf looks like this:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ENDOFRAME.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ENDOFRAME.NET = {
admin_server = kerberos.endoframe.net
kdc = kerberos.endoframe.net
master_kdc = kerberos
default_domain = endoframe.net
}
[domain_realm]
.endoframe.net = ENDOFRAME.NET
endoframe.net = ENDOFRAME.NET
"rail" is the name of the machine; "kerberos" and "ldap" are aliases for
it. These names appear to be resolving correctly:
[root@rail braden]# ping rail.endoframe.net
PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.153 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.084 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.085 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.085 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.084 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=6 ttl=64 time=0.085 ms
^C
--- rail.endoframe.net ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5000ms
rtt min/avg/max/mdev = 0.084/0.096/0.153/0.025 ms
[root@rail braden]# ping kerberos.endoframe.net
PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.126 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.085 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.086 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.113 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.086 ms
^C
--- rail.endoframe.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.085/0.099/0.126/0.018 ms
[root@rail braden]# ping ldap.endoframe.net
PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.123 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.083 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.081 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.119 ms
64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.085 ms
^C
--- rail.endoframe.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.081/0.098/0.123/0.019 ms
So, where should I be looking to resolve this issue?
--
Braden McDaniel <bra...@endoframe.com>
Russ Allbery
Feb 27, 2012, 1:52:28 AM2/27/12
to Braden McDaniel, kerb...@mit.edu
Braden McDaniel <bra...@endoframe.com> writes:
> I'm trying to configure Kerberos authentication with OpenLDAP. kinit
> appears to work fine. However, I get this when using ldapsearch:
> $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)
> krb5kdc.log has entries like this in it:
> Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/ad...@ENDOFRAME.NET for kadmin/rail.endo...@ENDOFRAME.NET, Server not found in Kerberos database
> Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/ad...@ENDOFRAME.NET for kadmin/ad...@ENDOFRAME.NET
Something rather strange is going on here. Are you sure that those log
> I'm trying to configure Kerberos authentication with OpenLDAP. kinit
> appears to work fine. However, I get this when using ldapsearch:
> $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)
> krb5kdc.log has entries like this in it:
> Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/ad...@ENDOFRAME.NET for kadmin/rail.endo...@ENDOFRAME.NET, Server not found in Kerberos database
> Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/ad...@ENDOFRAME.NET for kadmin/ad...@ENDOFRAME.NET
messages correspond to your ldapsearch attempt and not a separate run of
kadmin?
Normally, ldapsearch should be using the ldap/ldap.endoframe.net principal
(or more likely ldap/rail.endoframe.net). Can you obtain tickets for that
service principal directly using:
kvno ldap/rail.endoframe.net
--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
0 new messages