"Cannot contact any KDC for requested realm" when using ldapsearch

Russ Allbery rra at stanford.edu
Mon Feb 27 01:52:28 EST 2012


Braden McDaniel <braden at endoframe.com> writes:

> I'm trying to configure Kerberos authentication with OpenLDAP.  kinit
> appears to work fine.  However, I get this when using ldapsearch:

>         $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net
>         SASL/GSSAPI authentication started
>         ldap_sasl_interactive_bind_s: Local error (-2)
>         	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot contact any KDC for requested realm)

> krb5kdc.log has entries like this in it:

>         Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/admin at ENDOFRAME.NET for kadmin/rail.endoframe.net at ENDOFRAME.NET, Server not found in Kerberos database
>         Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/admin at ENDOFRAME.NET for kadmin/admin at ENDOFRAME.NET

Something rather strange is going on here.  Are you sure that those log
messages correspond to your ldapsearch attempt and not a separate run of
kadmin?

Normally, ldapsearch should be using the ldap/ldap.endoframe.net principal
(or more likely ldap/rail.endoframe.net).  Can you obtain tickets for that
service principal directly using:

   kvno ldap/rail.endoframe.net

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list