Help: Cannot contact any KDC for requested realm
Lee Eric
openlinuxsource at gmail.com
Tue Jun 25 00:17:00 EDT 2013
Hi,
The user did not run kinit because when user access the website it
will prompt user to input kerberos username/password. In the web
server, kinit works well.
Do you have any idea?
Thanks.
On Tue, Jun 25, 2013 at 2:29 AM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> On Mon, 24 Jun 2013, Lee Eric wrote:
>
>> Hi,
>>
>> I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.
>>
>> LoadModule auth_kerb_module modules/mod_auth_kerb.so
>>
>> <Location /opendcim>
>> SSLRequireSSL
>> AuthType Kerberos
>> AuthName "Kerberos Login"
>> KrbMethodNegotiate On
>> KrbMethodK5Passwd On
>> KrbAuthRealms FOOBAR.COM
>> KrbVerifyKDC On
>> Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab
>> require valid-user
>> </Location>
>>
>> And here's /etc/krb5.conf:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = FOOBAR.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> FOOBAR.COM = {
>> kdc = kerberos.foobar.com:88
>> admin_server = kerberos.foobar.com:749
>> }
>>
>> [domain_realm]
>> foobar.com = FOOBAR.COM
>> .foobar.com = FOOBAR.COM
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> foobar.com is a pseudo domain name in my testing env. When the user
>> access the foobar.com/opendcim it will prompt username and passoword
>> window. However, after user's input it will prompt that window again.
>> I checked the log in ssl_error_log I found following details.
>>
>> [Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
>> krb5_get_init_creds_password() failed: Cannot contact any KDC for
>> requested realm
>>
>> But user can get his principal in the server by kinit w/o any issue.
>
>
> Is the user running kinit on the machine hosting foobar.com/opendcim, or
> some other machine? If they are different machines, the kinit success does
> not say very much; it is the webserver machine which is failing to contact
> the KDC.
>
> -Ben Kaduk
More information about the Kerberos
mailing list