kinit: Cannot contact any KDC for requested realm while getting initial credentials
Jeremy Thomas Hunt
jeremyh at optimation.com.au
Wed Mar 29 17:32:55 EST 2006
Celia Clark wrote:
> [safeTgram (optim1) receive status: NOT encrypted, NOT signed.]
>
>
> Hi,
>
> I am having problems with using kinit, with keytab and username/password.
>
> When issuing the kinit command I get the following error:
> kinit: Cannot contact any KDC for requested realm while getting initial
> credentials
> There is a firewall between the webservers where I issue the command from
> and the domain controller.
> The webservers are able to connect to the domain controller on port 88 over
> UDP.
>
> The webservers are able to resolve themselves and the domain controller,
> both forward and reverse lookup.
>
> Do any of you guys out there have an idea of what is going wrong?
>
> Many thanks,
>
> Celia
>
>
You do not say if this is a new or updated webserver, or one that has
just stopped working. I assume the former.
Do the webservers work without the firewall? Can you test this by moving
the webserver the other side of the firewall (where it is not exposed to
the outside world)?
If so, when it is back in place do you have access to the logs of
dropped packet? Generally a firewall administrator can monitor dropped
packets while you do a kinit command.
If not, it is probably a configuration file issue. I suggest you check
that your default realm is defined in the libdefaults section of your
krb5.conf and that there is a matching realm section with a kdc defined,
or that the kdc name as it appears in the krb5.conf is resolvable from
your DNS on the webserver. Otherwise, if you have a previously working
webserver, check that all it's configuration files match those of this
new one.
I hope that helps,
Jeremy
More information about the Kerberos
mailing list