Cannot contact any KDC for requested realm while initializing kadmin interface
Kim Holburn
kim.holburn at anu.edu.au
Fri Jul 11 00:40:45 EDT 2003
I need some help installing kerberos. Any help greatly appreciated.
I am using debian woody.
I installed the debian binaries (1.2.4) using apt-get
ii krb5-admin-ser 1.2.4-5woody4 Mit Kerberos master server (kadmind)
ii krb5-clients 1.2.4-5woody4 Secure replacements for ftp, telnet and rsh
ii krb5-config 1.4 Configuration files for Kerberos Version 5
ii krb5-doc 1.2.4-5woody4 Documentation for krb5
ii krb5-kdc 1.2.4-5woody4 Mit Kerberos key server (KDC)
ii krb5-user 1.2.4-5woody4 Basic programs to authenticate using MIT Ker
ii libkrb5-dev 1.2.4-5woody4 Headers and development libraries for MIT Ke
ii libkrb53 1.2.4-5woody4 MIT Kerberos runtime libraries
and followed the directions on the install page:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/install_toc.html
---------------------------------/etc/krb5.conf -----------------------
[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 600
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MYDOMAIN.COM = {
kdc = kerberos.mydomain.com
# kdc = kerberos-1.mydomain.com:88
admin_server = kerberos.mydomain.com
default_domain = mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
[login]
krb4_convert = false
krb4_get_tickets = false
---------------------------------/etc/krb5.conf -----------------------
---------------------------------/etc/krb5kdc/kdc.conf -----------------------
[kdcdefaults]
kdc_ports = 750,88
[realms]
MYDOMAIN.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
# kdc_ports = 750,88
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:afs3
# supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
# default_principal_flags = +preauth
}
---------------------------------/etc/krb5kdc/kdc.conf -----------------------
I get no unusual messages in the logs when I start kdc and kadmind:
Jul 11 13:43:45 kerberos krb5kdc[2438](info): setting up network...
Jul 11 13:43:45 kerberos krb5kdc[2438](info): listening on fd 8: 150.203.126.1
9 port 750
Jul 11 13:43:45 kerberos krb5kdc[2438](info): listening on fd 9: 150.203.126.1
9 port 88
Jul 11 13:43:45 kerberos krb5kdc[2438](info): set up 2 sockets
Jul 11 13:43:45 kerberos krb5kdc[2439](info): commencing operation
Jul 11 13:43:45 kerberos kadmind[2442](info): starting
When I run kadmin, kinit they hang for 30 seconds or so and then I get this message:
# kadmin
Authenticating as principal root/admin at MYDOMAIN.COM with password.
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
root at kerberos:/etc# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslogd 160 root 18u IPv4 153 UDP *:syslog
sshd 181 root 3u IPv4 309 TCP *:ssh (LISTEN)
ntpd 184 root 4u IPv4 359 UDP *:ntp
ntpd 184 root 5u IPv4 360 UDP localhost:ntp
ntpd 184 root 6u IPv4 361 UDP kerberos.mydomain.com:ntp
krb5kdc 2439 root 8u IPv4 31995 UDP kerberos.mydomain.com:kerberos4
krb5kdc 2439 root 9u IPv4 31996 UDP kerberos.mydomain.com:kerberos
kadmind 2442 root 8u IPv4 32068 TCP *:kerberos-adm (LISTEN)
kadmind 2442 root 9u IPv4 32069 UDP *:464
where:
# grep ker /etc/services
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos-adm 749/udp # Kerberos `kadmin' (v5)
kerberos4 750/udp kerberos-iv kdc # Kerberos (server) udp
kerberos4 750/tcp kerberos-iv kdc # Kerberos (server) tcp
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
I am running tcpdump while running kadmin but see no traffic. An strace of kadmin shows:
connect(3, {sin_family=AF_INET, sin_port=htons(88), sin_addr=inet_addr("123.45.67.89")}}, 16) = 0
send(3, "j\201\2410\201\236\241\3\2\1\5\242\3\2\1\n\244\201\221"..., 164, 0) = 164
select(4, [3], NULL, NULL, {1, 0}) = 0 (Timeout)
send(3, "j\201\2410\201\236\241\3\2\1\5\242\3\2\1\n\244\201\221"..., 164, 0) = 164
select(4, [3], NULL, NULL, {4, 0}) = 0 (Timeout)
send(3, "j\201\2410\201\236\241\3\2\1\5\242\3\2\1\n\244\201\221"..., 164, 0) = 164
select(4, [3], NULL, NULL, {16, 0}) = 0 (Timeout)
close(3) = 0
Actually it looks like kdc is not listening on TCP port 88. Should it be, and if it should why isn't it?
Kim
btw the mailing list web page says these posts are mirrored on usenet. Do subscribers unobfuscated email addresses end up on usenet too?
--
--
Kim Holburn
Network Consultant - Telecommunications Engineering
Research School of Information Sciences and Engineering
Australian National University - Ph: +61 2 61258620 M: +61 0417820641
Email: kim.holburn_at_anu.edu.au - PGP Public Key on request
Life is complex - It has real and imaginary parts.
Andrea Leistra (rec.arts.sf.written.Robert-jordan)
More information about the Kerberos
mailing list