kinit without dns

Michael B Allen ioplex at gmail.com
Wed Jan 24 14:45:11 EST 2024 

Hello,

I use linux almost exclusively for everything.
DNS points to my Internet router.
However, I also have VMs running AD and various Windows instances just
for testing my software.
All of these test hosts use AD for DNS which forwards to said Internet router.

If I use the following krb5.conf with MIT krb5 packages on CentOS:

[libdefaults]
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

[realms]
    GOGO.LOCO = {
        kdc = dc1.gogo.loco
    }

where dc1.gogo.loco is AD, trying to run kinit fails:

$ kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials

Looking at the network shows:

Protocol    Length  Info
DNS 80  Standard query 0xd8af A dc1.gogo.loco
DNS 96  Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
KRB5    221 AS-REQ
KRB5    234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
DNS 79  Standard query 0x314d URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x314d No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91  Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0xfc89 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91  Standard query 0xe601 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xe601 No such name SRV
_kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net
DNS 79  Standard query 0x37d8 URI _kerberos.GOGO.LOCO
DNS 154 Standard query response 0x37d8 No such name URI
_kerberos.GOGO.LOCO SOA a.root-servers.net
DNS 91  Standard query 0x54e2 SRV _kerberos-master._udp.GOGO.LOCO
DNS 166 Standard query response 0x54e2 No such name SRV
_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
DNS 91  Standard query 0xc1d3 SRV _kerberos-master._tcp.GOGO.LOCO
DNS 166 Standard query response 0xc1d3 No such name SRV
_kerberos-master._tcp.GOGO.LOCO SOA a.root-servers.net

As you can see, kinit successfully communicates with the KDC but then
fails over to querying DNS to find one.

Is there any way to get kinit to work without DNS?

Temporarily hacking my prod machines to use DNS for test machines is not ideal.

Ideas?

Mike

-- 
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

More information about the Kerberos mailing list