1

I'm attempting to connect Kerio to an Open Directory instance. I'm using kinit to test the setup, and I get the following:

$ kinit -V -S host/server.domain.co.uk@server.domain.co.uk igor@server.domain.co.uk
Please enter the password for igor@server.domain.co.uk:
Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

This occurs, even though I am 100% sure that the password is correct. Either way, I am more concerned with regards to the part of the message that says

Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

From the server running OD, and a second in house server I get the same error message. I can dig and ping server.domain.co.uk correctly from both servers, so it boggles my mind what could be wrong.

I need this to be working before I can move forward and connect up the Kerio instance to my OD.

edu.mit.kerberos

[libdefaults]
    default_realm = SERVER.domain.CO.UK
[realms]
    SERVER.domain.CO.UK = {
        admin_server = server.domain.co.uk
        kdc = server.domain.co.uk
    }
[domain_realm]
    domain.co.uk = SERVER.domain.CO.UK
    .domain.co.uk = SERVER.domain.CO.UK
[logging]
    admin_server = FILE:/var/log/krb5kdc/kadmin.log
    kdc = FILE:/var/log/krb5kdc/kdc.log

SERVER is the real hostname for the machine in question, and domain.co.uk is my FQDN, or at least replacing my FQDN

Thanks for any assistance.

Mister IT Guru
  • 1,158
  • 3
  • 15
  • 35

6 Answers6

2

It looks like your REALM and KDC declarations might be a little off.

I could be wrong, but I'm thinking instead of

[libdefaults]

default_realm = SERVER.domain.CO.UK

[realms]

SERVER.domain.CO.UK = {

admin_server = server.domain.co.uk

kdc = server.domain.co.uk }

You'd want to put

[libdefaults]

default_realm = domain.CO.UK

[realms]

domain.CO.UK = {

admin_server = server.domain.co.uk

kdc = server.domain.co.uk }

Univ426
  • 2,139
  • 14
  • 26
  • I thought that it should be like that!? Why does the apple wizard/help app set it up wrongly? – Mister IT Guru May 25 '12 at 11:48
  • Yeah, I can understand *that* feeling. I've always had mixed success with the various wizards and configuration tools too, unfortunately. It's always so tempting to not have to open the actual file, unfortunately that's usually what ends up needing to be done anyway. Hope that helps! – Univ426 May 25 '12 at 14:27
  • I've manually made the changes to this file and restarted the server - It came back up running the same configuration as it previously was. Using the Server Admin tool, it still claims the realm is server.domain.co.uk ? I've edited the correct config file in /Library/Preferences is there another place that the configuration is taken from?? I'm running 10.5.8 - I'm starting to tear my hair out with this one! – Mister IT Guru Jun 14 '12 at 12:39
2

The kerberos principal is username@realm, not username@domain, and the realm is case-sensitive, so please try your kinit for igor@SERVER.domain.CO.UK, capitalized exactly the way you have the realm capitalized in your conf.

The subtle distinction between server and realm is why your error is so hard to interpret - what it's trying to say is "I don't know what the server address would be for that REALM - I can't match that REALM to anything in the conf file."

Nada
  • 986
  • 7
  • 9
  • Nada's right about that too. – Univ426 May 29 '12 at 18:44
  • When I use the setup in the config file to run kinit on a desktop computer, I still get an authentication error, but on the server itself, when using the kerberos utility, it authenticates locally, so, I'm wondering which bit is broken.... – Mister IT Guru Jun 14 '12 at 12:42
  • I think your kinit command is broken. If your config is exactly like in your question, you must do igor@SERVER.domain.CO.UK , with exactly that capitalization. If you have already tried that and are still having problems, please confirm that your config file above is exactly correct and please confirm what kinit command you're using. – Nada Jun 14 '12 at 14:30
  • I'm using kinit from my mac book terminal, (remote) the server terminal (local) - both fail even when using using that I know the password to. – Mister IT Guru Jun 15 '12 at 09:54
0
[libdefaults]
default_realm = domain.CO.UK

[realms]
domain.CO.UK = {
  admin_server = server.domain.co.uk
  kdc = server.domain.co.uk
}
slm
  • 7,355
  • 16
  • 54
  • 72
user177119
  • 1
0

add this in krb5.ini :

dns_lookup_kdc = true
splattne
  • 28,348
  • 19
  • 97
  • 147
user199471
  • 11
0

Answering old questions:

This issue IIRC turned out to be a combination of things

  • DNS for the domain was broken
  • The OSX Server was borked, updates where not getting through, and service configuration was mysteriously disappearing
  • There where three clones of the same server instance running on the same wire but for three different companies all using the same domain names
  • and the kicker "connected together via a communal wifi"

Once we found we we offered network management services to everyone sharing that space - and discovered that they shared a fibre connection - with all their routers patched to each other for 'failover' reasons.

This was the point that caused each company separate issues - until we rebuilt the lot :)

Mister IT Guru
  • 1,158
  • 3
  • 15
  • 35
0

Just fell in same situation on Debian GNU/Linux jessie. Resolver inside kinit just did not work. strace shows kinit is asking Avahi-daemon via lib-mdns. I've removed avahi and kinit started working. The resume - either remove avahi-daemon or configure it properly.

Anton
  • 1