krb5 1.6 beta 3 on Debian Lenny : kinit(v5): Cannot resolve network address for KDC in realm

Søren Grønning Iversen s.groening at gmail.com
Fri Apr 11 15:20:52 EDT 2008 

I have an issue standing, where I am unable to kinit to get my Krb5 TGT 
locally on the KDC, but have no problems doing the same on one of my 
client machines. I don't care too much about this issue for as long as 
we talk Kerberos credentials on the server itself, however I am really 
puzzled by this behaviour ...

Whenever I execute: kinit <user>   I get:

kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM 
while getting initial credentials

My /etc/resolv.conf looks like this:

domain example.com
search example.com
nameserver 127.0.0.1

My /etc/hostname looks like this:

127.0.0.1   localhost

My /etc/krb5.conf looks like this:

[libdefaults]
    default_realm = EXAMPLE.COM
    ticket_lifetime = 12h
    renew_lifetime = 7d
    dns_fallback = no
    kdc_timesync = 3
    ccache_type = 4
    renewable = true
    forwardable = true
    forward = true
    proxiable = true
    noaddresses = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.

#    default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 
des-cbc-crc des-cbc-md5
#    default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 
des-cbc-crc des-cbc-md5
#    permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 
des-cbc-crc des-cbc-md5

[appdefaults]

[realms]
    EXAMPLE.COM = {
        kdc = host.example.com:88
        admin_server = host.example.com:749
        database_module = openldap_ldapconf
        default_domain = example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

[dbdefaults]
    ldap_kerberos_container_dn = "ou=Kerberos,dc=example,dc=com"

[dbmodules]   
    openldap_ldapconf = {
    db_library = kldap
    ldap_kerberos_container_dn = "ou=Kerberos,dc=example,dc=com"
    db_module_dir = /usr/lib/krb5/plugins/kdb
      # this object needs to have read rights on
      # the realm container, principal container and realm sub-trees
    ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=example,dc=com"
      # this object needs to have read and write rights on
          # the realm container, principal container and realm sub-trees
    ldap_kadmind_dn = "cn=kadmin,ou=Kerberos,dc=example,dc=com"
    ldap_service_password_file = /etc/krb5kdc/service.keyfile
    ldap_servers = ldapi://
    ldap_conns_per_server = 32
    }

[logging]
    kdc = SYSLOG:INFO
    admin_server = FILE=/var/lib/krb5kdc/kadm5.log

[login]
        krb4_convert = true
        krb4_get_tickets = false


My /etc/krb5kdc/kdc.conf looks like this:

[kdcdefaults]

[realms]
    EXAMPLE.COM = {
        kadmin_port = 749
        kdc_timesync = 1
        ccache_type = 4
        renewable = yes
        forwardable = true
        forward = true
        proxiable = true
        noaddresses = true
        max_life = 12h
        max_renew_life = 14d
    }

[logging]
    kdc = SYSLOG:INFO
    admin_server = FILE=/var/lib/krb5kdc/kadm5.log


Both forward and reverse DNS lookups work as supposed to and hostname 
returns 'host', hostname -d returns 'example.com' and hostname -f 
returns 'host.example.com'

Everything which relates to this particular error message seems to be 
related to name resoling, which is no problem at all - it even works 
correctly from my clients ...

Does anyone have a shred of wisdom that's be able to point me in the 
right direction?

Best,

-Søren G.

More information about the Kerberos mailing list