kinit without dns

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Jan 24 15:34:22 EST 2024


You MIGHT be better served by turning on Kerberos tracing to see what the
library is doing.  Prefixing that kinit with:

	env KRB5_TRACE=/dev/stdout

would be useful.  However, assuming these are in order ...

>Protocol    Length  Info
>DNS 80  Standard query 0xd8af A dc1.gogo.loco
>DNS 96  Standard query response 0xd8af A dc1.gogo.loco A 10.15.15.22
>KRB5    221 AS-REQ
>KRB5    234 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

This looks like the basic exchange with the KDC did not do any DNS lookups
(other than the hostname).

>DNS 79  Standard query 0x314d URI _kerberos.GOGO.LOCO
>DNS 154 Standard query response 0x314d No such name URI
>_kerberos.GOGO.LOCO SOA a.root-servers.net
>DNS 91  Standard query 0xfc89 SRV _kerberos-master._udp.GOGO.LOCO
>DNS 166 Standard query response 0xfc89 No such name SRV
>_kerberos-master._udp.GOGO.LOCO SOA a.root-servers.net

This looks like it is trying to find the name of the primary KDC.  You could
put a line "master_kdc = dc1.gogo.logo" under the [realms] stanza and I
believe it would suppress these lookups (the preferred relation name was
changed to "primary_kdc" in 1.19 but it is still supposed to fall back
to the older name).  I think that should get rid of all of the lookups
I see (I believe the PREAUTH_REQUIRED error makes it want to find the primary
KDC).

--Ken


More information about the Kerberos mailing list