Help : Can not contact KDC

[Abhishek Rahirikar]

Hi, there,
I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I
have
/etc/hosts mapping hostname of the pc to its ip address and
/etc/krb5.conf< br> pointing kdc to the host name, which i believe
correctly set.
The problem is that, I can do kadmin.local but I just couldn't do
kadmin. It always complains:
kadmin: Cannot contact any KDC for requested realm while initializing
kadmi n
interface
kinit with no parameters reports the similar error:
kinit(v5): Cannot contact any KDC for requested realm while getting
initial credentials
I have also tried putting direct IP of the kdc in krb5.c onf file.
But error is the same.
Please help me. I am new to kerbero s.
Thank you.
Abhishek

_________________________________________________________________

Why delete messages? Unlimited storage is [1]just a click away.

References

1. ="http://in.rd.yahoo.com/tagline_mail_1/*http://help.yahoo.com/l/in/yahoo

[Kevin S. Sumner]

Some diagnostics I can think of at the moment:
- Check to see if kadmin is in the process list on your KDC and that it
has its port open to the outside world.
- Check to see if the client has the correct entry for admin_server in
krb5.conf.
- Check firewall rules on the client and the server. If I remember
correctly, kadmind runs on port 749/tcp.

nmap, netstat, and lsof will be a lot of help. You can get most of
these from a popular Linux distribution, compile them from source on most
Unices. There's also a netstat implementation in Windows and a native
compile of nmap for Windows too.

strace, ktrace/kdump, etc. would be my last line.

Hope this helps!
Kevin
-----
Kevin Sumner
ksu...@physics.unc.edu
(919) 962-6494
Assistant Systems Administrator
Physics and Astronomy Networking Infrastructure and Computing
University of North Carolina at Chapel Hill

On Sat, 9 Feb 2008, Abhishek Rahirikar wrote:

>
> Hi, there,
> I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I
> have
> /etc/hosts mapping hostname of the pc to its ip address and

> /etc/krb5.conf< correctly set.

> The problem is that, I can do kadmin.local but I just couldn't do
> kadmin. It always complains:
> kadmin: Cannot contact any KDC for requested realm while initializing

> kadmi interface

> kinit with no parameters reports the similar error:
> kinit(v5): Cannot contact any KDC for requested realm while getting
> initial credentials

> I have also tried putting direct IP of the kdc in krb5.c But error is the same.
> Please help me. I am new to kerbero Thank you.

> Abhishek
>
>
>
>
>
>
> _________________________________________________________________
>
> Why delete messages? Unlimited storage is [1]just a click away.
>
> References
>
> 1. ="http://in.rd.yahoo.com/tagline_mail_1/*http://help.yahoo.com/l/in/yahoo

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
>
>

[Abhishek Rahirikar]

Hi Kevin,
Thanks for the reply.
I tried to look for kadmind, it is running on server.
By doing nmap I am getting 749/tcp as open and service is
Kerberos-adm.
But default port for KDC is 88. and if I use netstat for port 88 then
the port is shown as closed. That means the KDC is not listening on
port 88. Am I correct?
So how can I handle this situation? In my krb5.conf I have set kdc
po rt to 88 only.
(kdc= kdc.example.com:88 )
How should I make KDC listen on port 88? Or if any oher setting is
required ?
Thanks for the help,
Abhishek
--- On Sat, 9/2/08, Kevin S. Sumner <ksumner@p hysics.unc.edu> wrote:

From: Kevin S . Sumner <ksu...@physics.unc.edu>
Subject: Re: Help : Can not con tact KDC
To: "Abhishek Rahirikar" <me_rah...@yahoo.co.in>
Cc : kerb...@mit.edu
Date: Saturday, 9 February, 2008, 11:32 PM
Some diagnostics I can think of at the moment:

- Check to see if kad min is in the process list on your KDC and

that it
has its port open to the outside world.
- Check to see if the client has the correct entry for
admin_server in
krb5.conf.

- Check firewall rules on the clie nt and the server. If I

remember
correctly, kadmind runs on port 749/t cp.
nmap, netstat, and lsof will be a lot of help. You can get most of
these from a popular Linux distribution, compile them from source
on most

Unices. There's also a netstat implementation in Windo ws and a

native
compile of nmap for Windows too.

strace, ktrace/ kdump, etc. would be my last line.

Hope this helps!
Kevin
---- -
Kevin Sumner
ksu...@physics.unc.edu
(919) 962-6494
Assistant Systems Administrator

Physics and Astronomy Networking Infrastructure a nd Computing

University of North Carolina at Chapel Hill

On S at, 9 Feb 2008, Abhishek Rahirikar wrote:
>
> Hi, there,< br>> I set up a MIT Kerberos 5 master kdc on a pc in

a private domain. I
> have
> /etc/hosts mapping hostname of the pc to its ip address and
> /etc/krb5.conf< correctly set.

> The pr oblem is that, I can do kadmin.local but I just couldn't
do
> kadmi n. It always complains:
> kadmin: Cannot contact any KDC for reques ted realm while

initializing
> kadmi interface
> kinit with no parameters reports the similar error:

> kinit(v5): C annot contact any KDC for requested realm while
getting
> initial credentials
> I have also tried putting direct IP of the kdc in kr b5.c But

error is
the same.
> Please help me. I am new to kerb ero Thank you.
> Abhishek
>
>
>
>
> >
> ______________________________________________________ ___________
>
> Why delete messages? Unlimited storage is [1] just a click away.
>
> References
>
> 1.
="h ttp://in.rd.yahoo.com/tagline_mail_1/*http://help.yahoo.com/l/in/ya
hoo

& gt; ________________________________________________
> Kerberos maili ng list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/ listinfo/kerberos
>
>
> --
>
>

_________________________________________________________________

Why delete messages? Unlimited storage is [1]just a click away.

References

1. 3D"http://in.rd.yahoo.com/ta

[Abhishek Rahirikar]

Hi Priya,
Yes, sorted out the problem ye sterday at last. The problem was
with the firewall only.
I stopped firew all with "service iptables stop" on both kdc and
client. And now I can have ticket with the command kinit.
What can we do instea d of stopping firewall to work with the
kdc?
Thank you,
Abhishek< br>
--- On Tue, 12/2/08, govi...@us.ibm.com <govi...@us.ibm.c om>
wrote:

From: govi...@us.ibm.com <govi...@us.ibm.com>
Subject: Re: Help : Can not contact KDC

To: me_rah...@yahoo.co.in
Date: Tuesday, 12 February, 2008, 8:14 AM
You might have to check your firewall settings.
- Priya <br>

< hr size=1> Why delete messages? Unlimited storage is

[1]just a click away.

References

1. file://localhost/tmp/3D"http

[Priya Govindarajan]

Try authenticating (i.e entering your username and password) with the
firewall instead of stopping it.

- Priya

Abhishek Rahirikar <me_rah...@yahoo.co.in>
02/11/2008 07:25 PM
Please respond to
me_rah...@yahoo.co.in

To
Priya Govindarajan/Lenexa/IBM@IBMUS
cc
Kerberos <kerb...@mit.edu>

Subject
Re: Help : Can not contact KDC

Hi Priya,

Yes, sorted out the problem yesterday at last. The problem was with the
firewall only.
I stopped firewall with "service iptables stop" on both kdc and client.

And now I can have ticket with the command kinit.

What can we do instead of stopping firewall to work with the kdc?

Thank you,
Abhishek

--- On Tue, 12/2/08, govi...@us.ibm.com <govi...@us.ibm.com> wrote:
From: govi...@us.ibm.com <govi...@us.ibm.com>
Subject: Re: Help : Can not contact KDC
To: me_rah...@yahoo.co.in
Date: Tuesday, 12 February, 2008, 8:14 AM

You might have to check your firewall settings.

- Priya

Why delete messages? Unlimited storage is just a click away.