krb5_get_in_tkt_with_password with KRB5_REALM_CANT_RESOLVE error

Ken Raeburn raeburn at MIT.EDU
Thu Sep 25 14:49:02 EDT 2008

On Sep 25, 2008, at 01:57, Stephen Ince wrote:
> I am getting a KRB5_REALM_CANT_RESOLVE error with the
> krb5_get_in_tkt_with_password call.  I am
> trying to programmatically get a ticket from KDC server. I am using
> kfw 3.3.3 Mit kerberos toolkit.
> The userid is matt at FOOBAR.LOCAL.
> The host FOOBAR.LOCAL just has an entry in my C:\WINDOWS
>      apache.foobar.local apache
>      kdc.foobar.local kdc

The realm name and KDC host names are independent.  You would need  
information somewhere that says that kdc.foobar.local is the (or at  
least a) KDC for the realm FOOBAR.LOCAL.  In your Kerberos config file  
(normally /etc/krb5.conf on UNIX, I think it's stored somewhere as  
krb5.ini on Windows) you would have a section that looks like:

         kdc = kdc.foobar.local
         [...possibly other info...]

Or, if you have DNS service set up for foobar.local, you could add a  
SRV record for the name "_kerberos._udp.foobar.local.", pointing to  
port 88 (or whatever you select instead) on the KDC machine.

You may also want:

     .foobar.local = FOOBAR.LOCAL

to tell client systems what realm name is used for servers in the  
foobar.local domain.  If you have a machine named "foobar.local" too,  
you'd also add a "foobar.local = FOOBAR.LOCAL" line (without the  
leading dot on the left-hand side, this time).

You could also get rid of the "kdc.foobar.local" host entry if you  
want, and just use "apache.foobar.local" in the configuration data  
described above.  Kerberos doesn't really care about the specific form  
of the KDC hostname, and we don't use any heuristics like assuming  
"kdc."+$realm might be the name of a KDC.


More information about the krbdev mailing list