3

I am going nuts here trying to debug a problem.

So I need to connect this Linux Box to an AD Domain through Kerberos.

here is my krb5.conf:

[libdefaults]
   default_realm=OURDOMAIN.COM
   dns_lookup_realm=true
   dns_lookup_kdc=true
   ticket_lifetime=24h
   forwardable = true
   proxiable = true

[realms]
   OURDOAMIN.COM = {
       kdc = VSH002.OURDOMAIN.COM:88
       admin_server = VSH002.OURDOMAIN.COM:749
       default_domain = OURDOMAIN.COM
   }   

[domain_realm]
   .ourdomain.com=OURDOMAIN.COM
   ourdomain.com=OURDOMAIN.COM

Now /etc/hosts:

 10.1.10.51 VSH002.OURDOMAIN.COM VSH002 vsh002

And resolv.conf:

domain ourdomain.com
search ourdomain.com
nameserver 10.1.10.51

The Command kinit user@OURDOMAIN.COM works just fine.

Also klist -ke shows the correct principal

kinit -V also connects successfully.

The Problem: After I generate the keytab with kpass on the Active Directory side and try to connect using 

 kinit -k

I get:

Cannot resolve network address for KDC in realm while getting initial credentials.

Network Adress can not be resolved? How is that possible?

Someone to help?

Thank You, Eugene.

Eugene
  • 131
  • 4

2 Answers2

2

When using kinit with a keytab it in necessary to provide the principle you wish to authenticate as. This is probably because keytabs can contain more than one principle.

[root@dhcp2 ~]# kinit -k
kinit(v5): Cannot resolve network address for KDC in realm  while getting initial credentials
[root@dhcp2 ~]# kinit -k  host/dhcp2.domain.tld
[root@dhcp2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/dhcp2.domain.tld@DOMAIN.TLD

Valid starting     Expires            Service principal
07/29/12 19:27:49  07/30/12 07:27:49  krbtgt/DOMAIN.TLD@DOMAIN.TLD
        renew until 07/30/12 19:27:49


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
84104
  • 12,698
  • 6
  • 43
  • 75
  • thx! that indeed is a problem. But it does not solve my problem yet. This had to do with the keytab file, now I am not using it at all and it still fails. Can you please look at this: http://serverfault.com/questions/412555/kerberos-realm-not-visible-with-klist – Eugene Jul 30 '12 at 15:04
0

dns_lookup_kdc=true means that kinit will lookup the SRV records in DNS.

Do you have the SRV records in DNS server that your server is using for the domain/domain controller?

_kerberos.VSH002.OURDOMAIN.COM for port 88
_ldap.VSH002.OURDOMAIN.COM for port 389

http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Wait what? The kinit -k is performed from a Linux machine, not windows. – Eugene Jul 27 '12 at 14:15
  • If you want to use DNS for these records, you may want to perform packet capture to determine if the machine is querying for the records. – Greg Askew Jul 27 '12 at 15:03
  • Of course I want to use DNS for these records, didn't I specify that in krb5.conf? :). This makes no sense, youre suggesting to use wireshark for example to see if Linux machine is even trying to access these records? If it was not, then how did kinit user@OURDOMAIN.COM work? Can you please bi a bit more verbose/specific? – Eugene Jul 27 '12 at 15:08