kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials

Thomas Schweikle tps at vr-web.de
Tue Jan 25 11:54:16 EST 2011 

Hi!

I have set up a kerberos server srv.example.com. This server has
address 192.168.180.30. Address resolution works fine on the server
and client:

srv.example.com:
# host srv
srv.example.com has address 192.168.180.30
# host 192.168.180.30
30.180.168.192.in-addr.arpa domain name pointer srv.example.com.
# host client
client.example.com has address 192.168.180.6
# host 192.168.180.6
6.180.168.192.in-addr.arpa domain name pointer client.example.com
#

client.example.com:
# host srv
srv.example.com has address 192.168.180.30
# host 192.168.180.30
30.180.168.192.in-addr.arpa domain name pointer srv.example.com.
# host client
client.example.com has address 192.168.180.6
# host 192.168.180.6
6.180.168.192.in-addr.arpa domain name pointer client.example.com
#

Now from the server:
# kinit user
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials

and from the client:
# kinit user
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
initial credentials

I am a bit lost what's going on here. In /etc/krb5.conf I have:
[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true
        dns_lookup_realm = true

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

[realms]
        EXAMPLE.COM = {
                kdc = srv.example.com
                admin_server = srv.example.com
                default_domain = example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[login]
        krb4_convert = true
        krb4_get_tickets = false

[logging]
        default = FILE:/var/log/kerberos/krb5lib.log

The dns-server returns for srv-queries:
# host -t srv _kerberos._tcp.example.com
_kerberos._tcp.example.com has SRV record 0 5 88 srv.example.com.

I'm a bit lost now. Turning dns_lookup_kdc on/off doesn't help.
kinit just keeps telling me It could not contact any kdc for this
realm (EXAMPLE.COM).

Any ideas?

-- 
Thomas

More information about the Kerberos mailing list