CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue

[Tim Mooney]

In regard to: Re: CentOS attempting to set up Kerberos 5-tickets created & ...:

> Unfortunately I've hung at this point.  Both my server and client
> machines are now configured to do an /etc/hosts lookup before
> attempting DNS and resolve each other perfectly.  My server machine
> has the kdc running on port 88, verified in /etc/services, and
> kerberos admin running on 749.  Yet when I attempt to execute kadmin
> on my client machine, even specifying the server on the command line,
> I'm receiving the following error:
>
> linuxdamon:~$ kadmin -p dgets/admin -s kdc.mydomain.com
> Authenticating as principal dgets/admin at MYDOMAIN.COM with password.
> kadmin: Cannot contact any KDC for requested realm while initializing
> kadmin interface
>
> I have copied /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf from
> the server machine to my ubuntu client.  I'm pretty sure I only needed
> the kdc.conf transferred over,

Actually, you only needed /etc/krb5.conf.  The kdc.conf is only needed
on the KDC servers.  The krb5.conf is needed everywhere, including the
KDC servers.

There's lots of good stuff that could go into a krb5.conf, but at a
minimum you probably want your krb5.conf to contain (on all hosts,
including your KDCs) a [libdefaults] section with a default_realm
statement, and a [realms] section that specifies all the realms your
systems need to know about.  If your krb5 realm name is MYDOMAIN.COM,
your krb5.conf should look something like

[libdefaults]
 	default_realm = MYDOMAIN.COM

[realms]
 	MYDOMAIN.COM = {
 		kdc = kdc.mydomain.com:88
 		kdc = backupkdc.mydomain.com:88
 		admin_server = kdc.mydomain.com:749
 		default_domain = mydomain.com
 	}

[domain_realm]
 	.mydomain.com = MYDOMAIN.COM
 	.subnet1.mydomain.com = MYDOMAIN.COM
 	.subnet2.mydomain.com = MYDOMAIN.COM

[logging]
 	kdc = FILE:/var/log/krb5kdc.log
 	admin_server = FILE:/var/log/kadmin.log
 	default = FILE:/var/log/krb5lib.log


(If you only need to know about the one realm MYDOMAIN.COM, you don't
need the domain_realm section at all, as the default_realm statement
should take care of everything).

If your kadmin client still can't contact your KDC after populating
the krb5.conf on the client, then you likely have some other issue.
Use strace on the client to verify that the client is actually trying
the right server and port, and make sure you don't have a firewall or
SELinux messing things up for you.

Tim
-- 
Tim Mooney                              mooney at dogbert.cc.ndsu.NoDak.edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164