Help: Cannot contact any KDC for requested realm

Lee Eric openlinuxsource at gmail.com
Tue Jun 25 00:17:00 EDT 2013


Hi,

The user did not run kinit because when user access the website it
will prompt user to input kerberos username/password. In the web
server, kinit works well.

Do you have any idea?

Thanks.

On Tue, Jun 25, 2013 at 2:29 AM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> On Mon, 24 Jun 2013, Lee Eric wrote:
>
>> Hi,
>>
>> I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.
>>
>> LoadModule auth_kerb_module modules/mod_auth_kerb.so
>>
>> <Location /opendcim>
>>  SSLRequireSSL
>>  AuthType Kerberos
>>  AuthName "Kerberos Login"
>>  KrbMethodNegotiate On
>>  KrbMethodK5Passwd On
>>  KrbAuthRealms FOOBAR.COM
>>  KrbVerifyKDC On
>>  Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab
>>  require valid-user
>> </Location>
>>
>> And here's /etc/krb5.conf:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = FOOBAR.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> FOOBAR.COM = {
>>  kdc = kerberos.foobar.com:88
>>  admin_server = kerberos.foobar.com:749
>> }
>>
>> [domain_realm]
>> foobar.com = FOOBAR.COM
>> .foobar.com = FOOBAR.COM
>> [appdefaults]
>> pam = {
>>   debug = false
>>   ticket_lifetime = 36000
>>   renew_lifetime = 36000
>>   forwardable = true
>>   krb4_convert = false
>> }
>>
>> foobar.com is a pseudo domain name in my testing env. When the user
>> access the foobar.com/opendcim it will prompt username and passoword
>> window. However, after user's input it will prompt that window again.
>> I checked the log in ssl_error_log I found following details.
>>
>> [Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
>> krb5_get_init_creds_password() failed: Cannot contact any KDC for
>> requested realm
>>
>> But user can get his principal in the server by kinit w/o any issue.
>
>
> Is the user running kinit on the machine hosting foobar.com/opendcim, or
> some other machine?  If they are different machines, the kinit success does
> not say very much; it is the webserver machine which is failing to contact
> the KDC.
>
> -Ben Kaduk


More information about the Kerberos mailing list