Help: Cannot contact any KDC for requested realm

Benjamin Kaduk kaduk at MIT.EDU
Mon Jun 24 14:29:09 EDT 2013


On Mon, 24 Jun 2013, Lee Eric wrote:

> Hi,
>
> I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.
>
> LoadModule auth_kerb_module modules/mod_auth_kerb.so
>
> <Location /opendcim>
>  SSLRequireSSL
>  AuthType Kerberos
>  AuthName "Kerberos Login"
>  KrbMethodNegotiate On
>  KrbMethodK5Passwd On
>  KrbAuthRealms FOOBAR.COM
>  KrbVerifyKDC On
>  Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab
>  require valid-user
> </Location>
>
> And here's /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = FOOBAR.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> FOOBAR.COM = {
>  kdc = kerberos.foobar.com:88
>  admin_server = kerberos.foobar.com:749
> }
>
> [domain_realm]
> foobar.com = FOOBAR.COM
> .foobar.com = FOOBAR.COM
> [appdefaults]
> pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
> }
>
> foobar.com is a pseudo domain name in my testing env. When the user
> access the foobar.com/opendcim it will prompt username and passoword
> window. However, after user's input it will prompt that window again.
> I checked the log in ssl_error_log I found following details.
>
> [Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
> krb5_get_init_creds_password() failed: Cannot contact any KDC for
> requested realm
>
> But user can get his principal in the server by kinit w/o any issue.

Is the user running kinit on the machine hosting foobar.com/opendcim, or 
some other machine?  If they are different machines, the kinit success 
does not say very much; it is the webserver machine which is failing to 
contact the KDC.

-Ben Kaduk


More information about the Kerberos mailing list