1

I have a machine with the Samba 4 AD and the second as a client. After two days of good operation, suddenly the kinit stopped working on the client-side. The reason is quite mysterious. It cannot resolve the name of the server. It gets from SRV-record the name bolbro.barbucha.local, but then cannot resolve its IP.

$ KRB5_TRACE=/dev/stdout kinit test
[4841] 1389479680.105645: Getting initial credentials for test@BARBUCHA.LOCAL
[4841] 1389479680.106009: Sending request (172 bytes) to BARBUCHA.LOCAL
[4841] 1389479680.115312: Resolving hostname bolbro.barbucha.local.
[4841] 1389479690.122000: Resolving hostname bolbro.barbucha.local.
kinit: Cannot contact any KDC for realm 'BARBUCHA.LOCAL' while getting initial credentials

But, if I change content of the /etc/krb5.conf file without changing anything on the server-side from:

[libdefaults]
    default_realm = BARBUCHA.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

to:

[libdefaults]
        default_realm = BARBUCHA.LOCAL
        forwardable = true
        proxiable = true
        dns_lookup_kdc = true

[realms]
        BARBUCHA.LOCAL = {
                kdc = bolbro.barbucha.local
        }

...then it works - IP-address is resolved. The layman marvels at this wonder, the expert is surprised. How is it ever possible, that it has resolved the name properly?

$ KRB5_TRACE=/dev/stdout kinit test
[4881] 1389479960.11821: Getting initial credentials for test@BARBUCHA.LOCAL
[4881] 1389479960.12298: Sending request (172 bytes) to BARBUCHA.LOCAL
[4881] 1389479960.12412: Resolving hostname bolbro.barbucha.local
[4881] 1389479960.12828: Sending initial UDP request to dgram 10.0.0.3:88
[4881] 1389479960.17680: Received answer from dgram 10.0.0.3:88
[4881] 1389479960.25280: Response was not from master KDC
[4881] 1389479960.25313: Received error from KDC: -1765328359/Additional pre-authentication required
[4881] 1389479960.25358: Processing preauth types: 16, 15, 2, 11, 19
[4881] 1389479960.25370: Selected etype info: etype rc4-hmac, salt "", params ""
Password for test@BARBUCHA.LOCAL:

Additionally: The tcpdump said me, that the SRV record was resolved up to IP-address 10.0.0.3, but kinit didn't use it.

I thing, there is a bug somewhere, but I'm unable to get known, if on the side of server or on the client's one. I don't know as well, if it is a matter of DNS or Kerberos. I've been googling a long time. There is a lot of reasons, but this situation is a special combination of more error-states.

However it would be awful to figure it out. I will be appreciative for any suggestion.

Theodor Keinstein
  • 181
  • 1
  • 11
  • `But, if I change content of the /etc/krb5.conf file without changing anything on the server-side....then it works` What is the change you have made in `krb5.conf` ? – krisFR Jan 12 '14 at 00:58
  • Sorry, I forgot to post the original file - I've updated me post. There was not any KDC server specified, just instruction, that the Kerberos shall look for the KDC in DNS. The SRV record had been resolved - bolbro.barbucha.local, but then the IP-adress wasn't found. But if the KDC server had been specified without using the SRV record, then the IP-address was resolved - 10.0.0.3 - and kinit worked. Mystery... What's wrong? SRV, PTR or A record? Or something else elsewhere? – Theodor Keinstein Jan 13 '14 at 10:44
  • One more update: I added a sentence _Additionally_ about the `tcpdump`. – Theodor Keinstein Jan 13 '14 at 10:49

0 Answers0