kinit cannot resolve network address

Jeffrey Hutzelman jhutz at cmu.edu
Tue May 9 16:31:46 EDT 2006 


On Tuesday, May 09, 2006 03:49:35 PM -0400 Gwen Parker 
<gwen.l.parker at duke.edu> wrote:

> [libdefaults]
>         default_realm = dcri.duke.net
>
>
> [realms]
>         dcri.duke.net = {
>#       kdc = vmsodium.dcri.duke.net
>         kdc = 10.0.101.65
>         }

Kerberos realm names are case-sensitive.  "dcri.duke.net" and 
"DCRI.DUKE.NET" are not the same realm name.  The problem here is that you 
are trying to get tickets for admin at DCRI.DUKE.NET, and since there is no 
entry in your krb5.conf for that realm, the library tries to use the DNS to 
find a KDC for that realm.  You haven't indicated what Kerberos you're 
using or how new it is, but the most likely scenario is that it's looking 
for SRV records for _kerberos._tcp.dcri.duke.net and/or 
_kerberos._udp.dcri.duke.net, possibly followed by falling back to the 
traditional KDC hostname of kerberos.dcri.duke.net.  If it can't find any 
of these, it fails.

The solution is to fix your krb5.conf to use the correct, uppercase realm 
name.



> [domain_realms]
>         .kerberos.server = dcri.duke.net

I don't think this does what you think.  The line above says that any host 
whose name ends in .kerberos.server belongs to the dcri.duke.net domain. 
Unless you have hosts whose names end in .kerberos.server, which seems 
rather unlikely, this line is doing nothing useful for you.  Assuming that 
things in both dcri.duke.edu and dcri.duke.net belong to the DCRI.DUKE.NET 
realm, you want lines like these:

    .dcri.duke.edu = DCRI.DUKE.NET
    .dcri.duke.net = DCRI.DUKE.NET
    dcri.duke.edu = DCRI.DUKE.NET
    dcri.duke.net = DCRI.DUKE.NET

(the last two lines handle the two machines whose names _are_ dcri.duke.edu 
and dcri.duke.net, rather than being below those domains.  If no such 
machines exist, you don't need those lines).


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list