"Cannot contact any KDC for requested realm" when using ldapsearch
Russ Allbery
rra at stanford.edu
Mon Feb 27 01:52:28 EST 2012
Braden McDaniel <braden at endoframe.com> writes:
> I'm trying to configure Kerberos authentication with OpenLDAP. kinit
> appears to work fine. However, I get this when using ldapsearch:
> $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm)
> krb5kdc.log has entries like this in it:
> Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/admin at ENDOFRAME.NET for kadmin/rail.endoframe.net at ENDOFRAME.NET, Server not found in Kerberos database
> Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/admin at ENDOFRAME.NET for kadmin/admin at ENDOFRAME.NET
Something rather strange is going on here. Are you sure that those log
messages correspond to your ldapsearch attempt and not a separate run of
kadmin?
Normally, ldapsearch should be using the ldap/ldap.endoframe.net principal
(or more likely ldap/rail.endoframe.net). Can you obtain tickets for that
service principal directly using:
kvno ldap/rail.endoframe.net
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list