You are not logged in.

#1 2022-07-30 16:51:06

Minecraftchest01
Member
Registered: 2021-06-29
Posts: 4

[RESOLVED] Cannot contact any KDC for realm

Hello. I am looking for help with Kerberos and FreeIPA, specifically the client side of it. I have a FreeIPA server running in a VM on my LAN with Kerberos working on it locally, so I don't think that it where my problem is. I also have another VM on my LAN with Arch Linux which I am using for testing stuff that may break the system which I am trying to get to login with FreeIPA. I have been following https://wiki.archlinux.org/title/FreeIPA on a fresh install, and I am having difficulties with the `kinit` command.

The problem that I am having is that when I run kinit admin, it sits for a few seconds, them exits with an error message.

Output of

KRB5_TRACE=/dev/stdout kinit admin

:

123456789[423] 1659197814.878661: Getting initial credentials for admin@LAB.FAMILYOFJACKSONS.COM
[423] 1659197814.878663: Sending unauthenticated request
[423] 1659197814.878664: Sending request (209 bytes) to LAB.FAMILYOFJACKSONS.COM
[423] 1659197814.878665: Resolving hostname freeipa.lab.familyofjacksons.com
[423] 1659197814.878666: Sending initial UDP request to dgram 192.168.1.224:749
[423] 1659197814.878667: Initiating TCP connection to stream 192.168.1.224:749
[423] 1659197814.878668: Sending TCP request to stream 192.168.1.224:749
[423] 1659197838.906248: Terminating TCP connection to stream 192.168.1.224:749
kinit: Cannot contact any KDC for realm 'LAB.FAMILYOFJACKSONS.COM' while getting initial credentials

My /etc/sssd/sssd.conf file: https://bucket.arsrobotics.org/minecraf … 925597762e
My /etc/krb5.conf file: https://bucket.arsrobotics.org/minecraf … 4bdc63c9ea

Output of

dig -t srv _ldap._tcp.lab.familyofjacksons.com

:

12345678910111213141516171819202122; <<>> DiG 9.18.5 <<>> -t srv _ldap._tcp.lab.familyofjacksons.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32498
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 051b84665380ec480100000062e559e4246c929649b78661 (good)
;; QUESTION SECTION:
;_ldap._tcp.lab.familyofjacksons.com. IN        SRV

;; ANSWER SECTION:
_ldap._tcp.lab.familyofjacksons.com. 86400 IN SRV 0 100 389 freeipa.lab.familyofjacksons.com.

;; ADDITIONAL SECTION:
freeipa.lab.familyofjacksons.com. 1200 IN A     192.168.1.224

;; Query time: 0 msec
;; SERVER: 192.168.1.224#53(192.168.1.224) (UDP)
;; WHEN: Sat Jul 30 16:18:44 UTC 2022
;; MSG SIZE  rcvd: 160

Output of

dig -t srv _kerberos._udp.lab.familyofjacksons.com

:

12345678910111213141516171819202122; <<>> DiG 9.18.5 <<>> -t srv _kerberos._udp.lab.familyofjacksons.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5478
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 86cbf796d7cbc63a0100000062e55a0f72b827269f727601 (good)
;; QUESTION SECTION:
;_kerberos._udp.lab.familyofjacksons.com. IN SRV

;; ANSWER SECTION:
_kerberos._udp.lab.familyofjacksons.com. 86400 IN SRV 0 100 88 freeipa.lab.familyofjacksons.com.

;; ADDITIONAL SECTION:
freeipa.lab.familyofjacksons.com. 1200 IN A     192.168.1.224

;; Query time: 0 msec
;; SERVER: 192.168.1.224#53(192.168.1.224) (UDP)
;; WHEN: Sat Jul 30 16:19:27 UTC 2022
;; MSG SIZE  rcvd: 164

I have ensured that the firewall isn't blocking the required ports (it was previously which was causing a connection termination immediately, now fixed), that the required ports are being listened on by the server, and have even gone as far as to temporally turn off the firewall on the server. This hasn't fixed the problem.
.
I have also downloaded the servers TLS cert and ensured that they are installed, and generated the keytab and installed it on the client.

Last edited by Minecraftchest01 (2022-08-01 14:41:43)

Offline

#2 2022-07-30 16:53:34

Minecraftchest01
Member
Registered: 2021-06-29
Posts: 4

Re: [RESOLVED] Cannot contact any KDC for realm

sudo tail -n 50 /var/log/krb5kdc.log
Jul 30 01:19:25 archlinux krb5kdc[1068](Error): Cannot open DB2 database '/var/lib/krb5kdc/principal': No such file or directory - while initializing database for realm LAB.FAMILYOFJACKSONS.COM

Last edited by Minecraftchest01 (2022-07-30 16:53:55)

Offline

#3 2022-07-31 10:45:55

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: [RESOLVED] Cannot contact any KDC for realm

https://wiki.archlinux.org/title/Kerber … figuration

Verify you have created the database and added principals .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#4 2022-08-01 14:26:48

Minecraftchest01
Member
Registered: 2021-06-29
Posts: 4

Re: [RESOLVED] Cannot contact any KDC for realm

The issue is on the client, not the server. The server works. Fine.

Offline

#5 2022-08-01 14:41:11

Minecraftchest01
Member
Registered: 2021-06-29
Posts: 4

Re: [RESOLVED] Cannot contact any KDC for realm

I solved it. I copied the kerbose config file from my server, edited it locally on the client to remove any server specific stuff (such as plugins, includes, dbmodules, pool locations, etc), and put it in place of the old configuration file I was using earlier (after making a backup of the old file of course), and now it works. I think perhaps I either missed an important configuration option, or it didn't like the way I formatted the file, but now it works.

Offline

Board footer

Powered by FluxBB