krb5 1.6 beta 3 on Debian Lenny : kinit(v5): Cannot resolve network address for KDC in realm
Søren Grønning Iversen
s.groening at gmail.com
Fri Apr 11 15:20:52 EDT 2008
I have an issue standing, where I am unable to kinit to get my Krb5 TGT
locally on the KDC, but have no problems doing the same on one of my
client machines. I don't care too much about this issue for as long as
we talk Kerberos credentials on the server itself, however I am really
puzzled by this behaviour ...
Whenever I execute: kinit <user> I get:
kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM
while getting initial credentials
My /etc/resolv.conf looks like this:
domain example.com
search example.com
nameserver 127.0.0.1
My /etc/hostname looks like this:
127.0.0.1 localhost
My /etc/krb5.conf looks like this:
[libdefaults]
default_realm = EXAMPLE.COM
ticket_lifetime = 12h
renew_lifetime = 7d
dns_fallback = no
kdc_timesync = 3
ccache_type = 4
renewable = true
forwardable = true
forward = true
proxiable = true
noaddresses = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
[appdefaults]
[realms]
EXAMPLE.COM = {
kdc = host.example.com:88
admin_server = host.example.com:749
database_module = openldap_ldapconf
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[dbdefaults]
ldap_kerberos_container_dn = "ou=Kerberos,dc=example,dc=com"
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "ou=Kerberos,dc=example,dc=com"
db_module_dir = /usr/lib/krb5/plugins/kdb
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=kadmin,ou=Kerberos,dc=example,dc=com"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldapi://
ldap_conns_per_server = 32
}
[logging]
kdc = SYSLOG:INFO
admin_server = FILE=/var/lib/krb5kdc/kadm5.log
[login]
krb4_convert = true
krb4_get_tickets = false
My /etc/krb5kdc/kdc.conf looks like this:
[kdcdefaults]
[realms]
EXAMPLE.COM = {
kadmin_port = 749
kdc_timesync = 1
ccache_type = 4
renewable = yes
forwardable = true
forward = true
proxiable = true
noaddresses = true
max_life = 12h
max_renew_life = 14d
}
[logging]
kdc = SYSLOG:INFO
admin_server = FILE=/var/lib/krb5kdc/kadm5.log
Both forward and reverse DNS lookups work as supposed to and hostname
returns 'host', hostname -d returns 'example.com' and hostname -f
returns 'host.example.com'
Everything which relates to this particular error message seems to be
related to name resoling, which is no problem at all - it even works
correctly from my clients ...
Does anyone have a shred of wisdom that's be able to point me in the
right direction?
Best,
-Søren G.
More information about the Kerberos
mailing list