Cannot contact any KDC for requested realm while initializing kadmin interface

Kim Holburn kim.holburn at anu.edu.au
Fri Jul 11 00:40:45 EDT 2003


I need some help installing kerberos.  Any help greatly appreciated.

I am using debian woody.  

I installed the debian binaries (1.2.4) using apt-get 
ii  krb5-admin-ser 1.2.4-5woody4  Mit Kerberos master server (kadmind)
ii  krb5-clients   1.2.4-5woody4  Secure replacements for ftp, telnet and rsh 
ii  krb5-config    1.4            Configuration files for Kerberos Version 5
ii  krb5-doc       1.2.4-5woody4  Documentation for krb5
ii  krb5-kdc       1.2.4-5woody4  Mit Kerberos key server (KDC)
ii  krb5-user      1.2.4-5woody4  Basic programs to authenticate using MIT Ker
ii  libkrb5-dev    1.2.4-5woody4  Headers and development libraries for MIT Ke
ii  libkrb53       1.2.4-5woody4  MIT Kerberos runtime libraries

and followed the directions on the install page:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/install_toc.html


---------------------------------/etc/krb5.conf -----------------------
[libdefaults]
        default_realm = MYDOMAIN.COM
        ticket_lifetime = 600
# The following krb5.conf variables are only for MIT Kerberos.
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        MYDOMAIN.COM = {
                kdc = kerberos.mydomain.com
#               kdc = kerberos-1.mydomain.com:88
                admin_server = kerberos.mydomain.com
                default_domain = mydomain.com
        }

[domain_realm]
        .mydomain.com = MYDOMAIN.COM
        mydomain.com = MYDOMAIN.COM

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log

[login] 
        krb4_convert = false
        krb4_get_tickets = false

---------------------------------/etc/krb5.conf -----------------------

---------------------------------/etc/krb5kdc/kdc.conf -----------------------
[kdcdefaults]
        kdc_ports = 750,88

[realms]
        MYDOMAIN.COM = {
                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
                acl_file = /etc/krb5kdc/kadm5.acl
                key_stash_file = /etc/krb5kdc/stash
#               kdc_ports = 750,88
                kadmind_port = 749
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des3-hmac-sha1
                supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:afs3
#               supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
#               default_principal_flags = +preauth
        }

---------------------------------/etc/krb5kdc/kdc.conf -----------------------



I get no unusual messages in the logs when I start kdc and kadmind: 
Jul 11 13:43:45 kerberos krb5kdc[2438](info): setting up network...
Jul 11 13:43:45 kerberos krb5kdc[2438](info): listening on fd 8: 150.203.126.1
9 port 750
Jul 11 13:43:45 kerberos krb5kdc[2438](info): listening on fd 9: 150.203.126.1
9 port 88
Jul 11 13:43:45 kerberos krb5kdc[2438](info): set up 2 sockets
Jul 11 13:43:45 kerberos krb5kdc[2439](info): commencing operation


Jul 11 13:43:45 kerberos kadmind[2442](info): starting


When I run kadmin, kinit they hang for 30 seconds or so and then I get this message:
# kadmin
Authenticating as principal root/admin at MYDOMAIN.COM with password.
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface


root at kerberos:/etc# lsof -i
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
syslogd  160 root   18u  IPv4    153       UDP *:syslog 
sshd     181 root    3u  IPv4    309       TCP *:ssh (LISTEN)
ntpd     184 root    4u  IPv4    359       UDP *:ntp 
ntpd     184 root    5u  IPv4    360       UDP localhost:ntp 
ntpd     184 root    6u  IPv4    361       UDP kerberos.mydomain.com:ntp 
krb5kdc 2439 root    8u  IPv4  31995       UDP kerberos.mydomain.com:kerberos4 
krb5kdc 2439 root    9u  IPv4  31996       UDP kerberos.mydomain.com:kerberos 
kadmind 2442 root    8u  IPv4  32068       TCP *:kerberos-adm (LISTEN)
kadmind 2442 root    9u  IPv4  32069       UDP *:464 

where:
# grep ker /etc/services
kerberos        88/tcp          kerberos5 krb5 kerberos-sec     # Kerberos v5
kerberos        88/udp          kerberos5 krb5 kerberos-sec     # Kerberos v5
kerberos-adm    749/tcp                         # Kerberos `kadmin' (v5)
kerberos-adm    749/udp                         # Kerberos `kadmin' (v5)
kerberos4       750/udp         kerberos-iv kdc # Kerberos (server) udp
kerberos4       750/tcp         kerberos-iv kdc # Kerberos (server) tcp
kerberos_master 751/udp                         # Kerberos authentication
kerberos_master 751/tcp                         # Kerberos authentication


I am running tcpdump while running kadmin but see no traffic.  An strace of kadmin shows:

connect(3, {sin_family=AF_INET, sin_port=htons(88), sin_addr=inet_addr("123.45.67.89")}}, 16) = 0
send(3, "j\201\2410\201\236\241\3\2\1\5\242\3\2\1\n\244\201\221"..., 164, 0) = 164
select(4, [3], NULL, NULL, {1, 0})      = 0 (Timeout)
send(3, "j\201\2410\201\236\241\3\2\1\5\242\3\2\1\n\244\201\221"..., 164, 0) = 164
select(4, [3], NULL, NULL, {4, 0})      = 0 (Timeout)
send(3, "j\201\2410\201\236\241\3\2\1\5\242\3\2\1\n\244\201\221"..., 164, 0) = 164
select(4, [3], NULL, NULL, {16, 0})     = 0 (Timeout)
close(3)                                = 0


Actually it looks like kdc is not listening on TCP port 88.  Should it be, and if it should why isn't it?

Kim

btw the mailing list web page says these posts are mirrored on usenet.  Do subscribers unobfuscated email addresses end up on usenet too?
-- 
--
Kim Holburn  
Network Consultant - Telecommunications Engineering
Research School of Information Sciences and Engineering
Australian National University - Ph: +61 2 61258620 M: +61 0417820641
Email: kim.holburn_at_anu.edu.au  - PGP Public Key on request

Life is complex - It has real and imaginary parts.
     Andrea Leistra (rec.arts.sf.written.Robert-jordan)


More information about the Kerberos mailing list