Help: Cannot contact any KDC for requested realm

[Lee Eric]

Hi,

I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /opendcim>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms FOOBAR.COM
  KrbVerifyKDC On
  Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab
  require valid-user
</Location>

And here's /etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FOOBAR.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 FOOBAR.COM = {
  kdc = kerberos.foobar.com:88
  admin_server = kerberos.foobar.com:749
 }

[domain_realm]
 foobar.com = FOOBAR.COM
 .foobar.com = FOOBAR.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

foobar.com is a pseudo domain name in my testing env. When the user
access the foobar.com/opendcim it will prompt username and passoword
window. However, after user's input it will prompt that window again.
I checked the log in ssl_error_log I found following details.

[Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
krb5_get_init_creds_password() failed: Cannot contact any KDC for
requested realm

But user can get his principal in the server by kinit w/o any issue.

Any idea?

Thanks.

Eric