missing log while debugging kinit via kdcproxy
Jochen Hein
jochen at jochen.org
Wed Jan 17 00:55:09 EST 2018
Hi,
I'm running a FreeIPA domain an started to authenticate my road warrior
laptop with kdcproy. I've changed krb5.conf:
,----
| dns_lookup_realm = true
| dns_lookup_kdc = false
| ...
| kdc = https://kdcproxy.example.org/KdcProxy
`----
When I run kinit on my Ubuntu 17.10 laptop I get:
# KRB5_TRACE=/dev/stderr kinit admin
[12904] 1516167827.841029: Getting initial credentials for admin at EXAMPLE.ORG
[12904] 1516167827.845059: Sending request (169 bytes) to EXAMPLE.ORG
[12904] 1516167827.845173: Resolving hostname kdcproxy.example.org
[12904] 1516167828.115087: Terminating TCP connection to https 89.0.xx.yy:443
[12904] 1516167828.551801: Terminating TCP connection to https 2a0a:a541:57ed:0:216:[redacted]:443
kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting initial credentials
No hint what the problem might be, KDC log is empty. What brought me on
the right track has been an strace and looking for missing files:
# strace -e stat kinit admin
stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=714, ...}) = 0
stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so", {st_mode=S_IFREG|0644, st_size=116344, ...}) = 0
stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so", {st_mode=S_IFREG|0644, st_size=14528, ...}) = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=322, ...}) = 0
stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/tls/k5tls.so", 0x7fff3df92080) = -1 ENOENT (No such file or directory)
kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting
initial credentials
After installing krb5-k5tls authentication was successful. I'd find it
helpful it kinit could give a hint that the shared library is
missing. Since not all users will need it, just adding a dependency to
krb5-user seems not appropriate.
Jochen
--
This space is intentionally left blank.
More information about the Kerberos
mailing list