kinit without dns
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jan 24 15:34:22 EST 2024
You MIGHT be better served by turning on Kerberos tracing to see what the
library is doing. Prefixing that kinit with:
env KRB5_TRACE=/dev/stdout
would be useful. However, assuming these are in order ...
>Protocol Length Info
>DNS 80 Standard query 0xd8af A dc1.gogo.loco
>DNS 96 Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
>KRB5 221 AS-REQ
>KRB5 234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
This looks like the basic exchange with the KDC did not do any DNS lookups
(other than the hostname).
>DNS 79 Standard query 0x314d URI _kerberos.GOGO.LOCO
>DNS 154 Standard query response 0x314d No such name URI
>_kerberos.GOGO.LOCO SOA a.root-servers.net
>DNS 91 Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
>DNS 166 Standard query response 0xfc89 No such name SRV
>_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net
This looks like it is trying to find the name of the primary KDC. You could
put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I
believe it would suppress these lookups (the preferred relation name was
changed to "primary_kdc" in 1.19 but it is still supposed to fall back
to the older name). I think that should get rid of all of the lookups
I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary
KDC).
--Ken
More information about the Kerberos
mailing list