Kerberos setup in Debian error Cannot contact any KDC for realm

Question

I am trying to get a Kerberos KDC server up and running, but somehow get stuck at remote access of the KDC service. When trying 'kinit' from another Linux (Debian Stretch) system, I always get the error "kinit: Cannot contact any KDC for realm 'DOMAIN.TLD' while getting initial credentials".

The KDC and Admin services are installed on Debian Stretch (9.3) system with all packages up to date. An overview of relevant configuration files follows.

The KDC server configuration

First the Kerberos server (FQDN: kdc.domain.tld) with a fixed IP address and its hostname in the DNS zone file (and reversed zone as well). I installed the Kerberos packages with:

$ sudo apt-get install krb5-{admin-server,kdc} -y

The relevant configuration files

/etc/hosts

127.0.0.1       localhost
192.168.1.2     client.domain.tld client
192.168.1.3     kdc.domain.tld kdc

/etc/resolv.conf

domain domain.tld
search domain.tld
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4

/etc/krb5.conf

[libdefaults]
  default_realm = DOMAIN.TLD
# The following krb5.conf variables are only for MIT Kerberos.
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
  fcc-mit-ticketflags = true
[realms]
  DOMAIN.TLD = {
    kdc = kdc.domain.tld
    admin_server = kdc.domain.tld
    default_domain = domain.tld
  }
[domain_realm]
  .domain.tld = DOMAIN.TLD
  domain.tld = DOMAIN.TLD
[logging]
  default = FILE:/var/log/kerberos/krb5-libs.log
  kdc = FILE:/var/log/kerberos/krb5-kdc.log
  admin_server = FILE:/var/log/kerberos/krb5-admin.log

kadmin.local listprincs output

K/M@DOMAIN.TLD
userid/admin@DOMAIN.TLD
userid@TLD.TLD
host/kdc.domain.tld@DOMAIN.TLD
kadmin/admin@DOMAIN.TLD
kadmin/changepw@DOMAIN.TLD
kadmin/kdc.domain.tld@DOMAIN.TLD
kiprop/kdc.domain.tld@DOMAIN.TLD
krbtgt/DOMAIN.TLD@DOMAIN.TLD

The firewall is 'off':

$ iptables -S (on the KDC server, where I've disabled ufw):
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output

And the KDC service is listening op port 88:

$ netstat -antup | grep krb (output on the KDC server):
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      528/krb5kdc
tcp6       0      0 :::88                   :::*                    LISTEN      528/krb5kdc
udp        0      0 0.0.0.0:750             0.0.0.0:*                           528/krb5kdc
udp        0      0 0.0.0.0:88              0.0.0.0:*                           528/krb5kdc
udp6       0      0 :::750                  :::*                                528/krb5kdc
udp6       0      0 :::88                   :::*                                528/krb5kdc

When I run the 'kinit' on the KDC server it works as expected:

$ KRB5_TRACE=/dev/stdout kinit -V
Using default cache: /tmp/krb5cc_1000
Using principal: userid@DOMAIN.TLD
Getting initial credentials for userid@DOMAIN.TLD
Sending request (181 bytes) to DOMAIN.TLD
Resolving hostname kdc.domain.tld
Sending initial UDP request to dgram 192.168.1.3:88
Received answer (274 bytes) from dgram 192.168.1.3:88
Response was not from master KDC
Received error from KDC: -1765328359/Additional pre-authentication required
Processing preauth types: 136, 19, 2, 133
Selected etype info: etype aes256-cts, salt "DOMAIN.TLDuserid", params ""
Received cookie: MIT
Password for userid@DOMAIN.TLD:
AS key obtained for encrypted timestamp: aes256-cts/000C
...etc

And there is a ticket in the cache:

$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: userid@DOMAIN.TLD

Valid starting       Expires              Service principal
mm/dd/yyyy hh:mm:ss  mm/dd/yyyy hh:mm:ss  krbtgt/DOMAIN.TLD@DOMAIN.TLD
        renew until mm/dd/yyyy hh:mm:ss, Flags: FPRIA

Client configuration

On the client where I have installed 'krb5-user' and copied the '/etc/krb5.conf' file from the server to, I have the following configuration:

/etc/hosts

127.0.0.1       localhost
192.168.1.2     client.domain.tld client
192.168.1.3     kdc.domain.tld kdc

/etc/resolv.conf

domain domain.tld
search domain.tld
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4

Server is reachable and name can be resolved:

$ ping -c1 kdc.domain.tld (from the client Linux system):
PING kdc.domain.tld (192.168.1.3) 56(84) bytes of data.
64 bytes from kdc.domain.tld (192.168.1.3): icmp_seq=1 ttl=64 time=0.231 ms

--- kdc.domain.tld ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms

And the firewall on the client is also 'off':

$ iptables -S (on the KDC server, where I've disabled ufw):
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output

When I run the kinit command on the client, the output is:

$ KRB5_TRACE=/dev/stdout kinit -V
Using default cache: /tmp/krb5cc_1000
Using principal: userid@DOMAIN.TLD
Getting initial credentials for userid@DOMAIN.TLD
Sending request (175 bytes) to DOMAIN.TLD
Resolving hostname kdc.domain.tld
Sending initial UDP request to dgram 192.168.1.3:88
Resolving hostname kdc.domain.tld
Sending initial UDP request to dgram 192.168.1.3:750
Initiating TCP connection to stream 192.168.1.3:88
Terminating TCP connection to stream 192.168.1.3:88
kinit: Cannot contact any KDC for realm 'DOMAIN.TLD' while getting initial credentials

The response comes instantly and it looks like ports are blocked, but the firewalls are 'off' on both systems. Also, there is nothing in any of the log files. And an nmap from the client shows somehow the Kerberos port is closed. Is that because the KDC service doesn't like the message sent?

$ nmap -v -A --version-all -p88 kdc.domain.tld
 ...
Nmap scan report for kdc.domain.tld (192.168.1.3)
Host is up (0.00043s latency).
PORT   STATE  SERVICE      VERSION
88/tcp closed kerberos-sec
 ...

OK. This is embarrassing... I installed another Linux client in a VM and tested 'kinit' from there. Guess what? It worked right out of the box. So, I did some more tests on my first Linux client (a physical device) and it turns out it has some vague network issues. — Noppes123, Feb 03 '18 at 06:29
Right @Noppes123, according your description the behavior indicates some network issues including DNS, hostname resolution, firewall, connection and so on. According your last comment is seems to be working now. — U880D, Apr 27 '18 at 05:55

Kerberos setup in Debian error Cannot contact any KDC for realm

0 Answers0