"Cannot contact any KDC for requested realm" when using ldapsearch

Braden McDaniel braden at endoframe.com
Mon Feb 27 00:38:32 EST 2012 

I'm trying to configure Kerberos authentication with OpenLDAP.  kinit
appears to work fine.  However, I get this when using ldapsearch:

        $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
        SASL/GSSAPI authentication started
        ldap_sasl_interactive_bind_s: Local error (-2)
        	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for requested realm)

krb5kdc.log has entries like this in it:

        Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/admin at ENDOFRAME.NET for kadmin/rail.endoframe.net at ENDOFRAME.NET, Server not found in Kerberos database
        Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/admin at ENDOFRAME.NET for kadmin/admin at ENDOFRAME.NET
        Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, braden at ENDOFRAME.NET for krbtgt/ENDOFRAME.NET at ENDOFRAME.NET
        Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, braden at ENDOFRAME.NET for krbtgt/ENDOFRAME.NET at ENDOFRAME.NET

Obviously, the first one there looks rather suspicious.  But even after
adding (and ktadd'ing) that principal:

        kadmin:  listprincs
        K/M at ENDOFRAME.NET
        braden/admin at ENDOFRAME.NET
        braden at ENDOFRAME.NET
        host/rail.endoframe.net at ENDOFRAME.NET
        kadmin/admin at ENDOFRAME.NET
        kadmin/changepw at ENDOFRAME.NET
        kadmin/history at ENDOFRAME.NET
        kadmin/localhost at ENDOFRAME.NET
        kadmin/rail.endoframe.net at ENDOFRAME.NET
        krbtgt/ENDOFRAME.NET at ENDOFRAME.NET
        ldap/ldap.endoframe.net at ENDOFRAME.NET
        root/admin at ENDOFRAME.NET

… I still get the above entry in the log file.

My krb5.conf looks like this:

        # cat /etc/krb5.conf
        [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log
        
        [libdefaults]
         default_realm = ENDOFRAME.NET
         dns_lookup_realm = true
         dns_lookup_kdc = true
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true
        
        [realms]
         ENDOFRAME.NET = {
          admin_server = kerberos.endoframe.net
          kdc = kerberos.endoframe.net
          master_kdc = kerberos
          default_domain = endoframe.net
         }
        
        [domain_realm]
         .endoframe.net = ENDOFRAME.NET
         endoframe.net = ENDOFRAME.NET

"rail" is the name of the machine; "kerberos" and "ldap" are aliases for
it.  These names appear to be resolving correctly:

        [root at rail braden]# ping rail.endoframe.net
        PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.153 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.084 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.085 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.085 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.084 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=6 ttl=64 time=0.085 ms
        ^C
        --- rail.endoframe.net ping statistics ---
        6 packets transmitted, 6 received, 0% packet loss, time 5000ms
        rtt min/avg/max/mdev = 0.084/0.096/0.153/0.025 ms
        [root at rail braden]# ping kerberos.endoframe.net
        PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.126 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.085 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.086 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.113 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.086 ms
        ^C
        --- rail.endoframe.net ping statistics ---
        5 packets transmitted, 5 received, 0% packet loss, time 3999ms
        rtt min/avg/max/mdev = 0.085/0.099/0.126/0.018 ms
        [root at rail braden]# ping ldap.endoframe.net
        PING rail.endoframe.net (127.0.0.1) 56(84) bytes of data.
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=1 ttl=64 time=0.123 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=2 ttl=64 time=0.083 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=3 ttl=64 time=0.081 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=4 ttl=64 time=0.119 ms
        64 bytes from rail.endoframe.net (127.0.0.1): icmp_req=5 ttl=64 time=0.085 ms
        ^C
        --- rail.endoframe.net ping statistics ---
        5 packets transmitted, 5 received, 0% packet loss, time 4000ms
        rtt min/avg/max/mdev = 0.081/0.098/0.123/0.019 ms

So, where should I be looking to resolve this issue?

-- 
Braden McDaniel <braden at endoframe.com>

More information about the Kerberos mailing list