Help: Cannot contact any KDC for requested realm

[Lee Eric]

Hi,

I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /opendcim>
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms FOOBAR.COM
KrbVerifyKDC On
Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab
require valid-user
</Location>

And here's /etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FOOBAR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
FOOBAR.COM = {
kdc = kerberos.foobar.com:88
admin_server = kerberos.foobar.com:749
}

[domain_realm]
foobar.com = FOOBAR.COM
.foobar.com = FOOBAR.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

foobar.com is a pseudo domain name in my testing env. When the user
access the foobar.com/opendcim it will prompt username and passoword
window. However, after user's input it will prompt that window again.
I checked the log in ssl_error_log I found following details.

[Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
krb5_get_init_creds_password() failed: Cannot contact any KDC for
requested realm

But user can get his principal in the server by kinit w/o any issue.

Any idea?

Thanks.

Eric

[Benjamin Kaduk]

Is the user running kinit on the machine hosting foobar.com/opendcim, or
some other machine? If they are different machines, the kinit success
does not say very much; it is the webserver machine which is failing to
contact the KDC.

-Ben Kaduk

[Lee Eric]

Hi,

The user did not run kinit because when user access the website it
will prompt user to input kerberos username/password. In the web
server, kinit works well.

Do you have any idea?

Thanks.

[Benjamin Kaduk]

On Tue, 25 Jun 2013, Lee Eric wrote:

> Hi,
>

> The user did not run kinit because when user access the website it
> will prompt user to input kerberos username/password. In the web
> server, kinit works well.
>
> Do you have any idea?

Not really. The only thing that immediately comes to mind is whether the
webserver is using a different DNS resolver than kinit.

Maybe someone else on the list has better ideas.

-Ben Kaduk

[Benjamin Kaduk]

On Wed, 26 Jun 2013, Lee Eric wrote:

> Hi Ben,
>
> Thanks. Just curious, how kinit queries the DNS server? Is it using
> /etc/resolv.conf?

The krb5 library (which is what kinit uses) uses the libc resolver, which
should honor /etc/resolv.conf.

-Ben

[Joe Travaglini]

Here are some dumb questions:
Can you ping kerberos.foobar.com from the machine running your webserver?
Is the KDC running on port 88?
Is /etc/krb.conf world readable?
Do you have a kerberos entry in /etc/services?

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

[Joe Travaglini]

Also did you try just "FOOBAR" in KrbAuthRealms in your httpd config?


On Wed, Jun 26, 2013 at 12:48 PM, Joe Travaglini
<joe.tra...@gmail.com>wrote:

[Roland C. Dowdeswell]

On Wed, Jun 26, 2013 at 12:38:04PM -0400, Benjamin Kaduk wrote:
>

> On Wed, 26 Jun 2013, Lee Eric wrote:
>
> > Hi Ben,
> >
> > Thanks. Just curious, how kinit queries the DNS server? Is it using
> > /etc/resolv.conf?
>
> The krb5 library (which is what kinit uses) uses the libc resolver, which
> should honor /etc/resolv.conf.

To be precise, it should use the NSS framework and honour
/etc/nsswitch.conf and so on. To test what the host thinks,
you can use the same logic via getent(1) on most platforms
via:

$ getent hosts <hostname>

--
Roland Dowdeswell http://Imrryr.ORG/~elric/