Intermittent DNS failures while sending TGS-REQ

Sri bskmohan at
Fri Sep 11 09:25:42 EDT 2020


Am trying to get a service ticket for a host based service and validate that using a keytab. The issue is that this is working sometimes and some times am observing 'Cannot contact any realm '' while executing krb5_get_credentials() method. This error is not observed while sending AS-REQ. From the packet traces, I could see that AS-REQ/AS-REP without fail and the user is getting authenticated. Can anyone please share some pointers to resolve the issue?

Here is the psuedo code am using:

krb5_context k5Context;
// get initial tkts (for AS-REQ/AS-REP)
krb5_get_init_creds_password(k5Context,...); <========== Always passes

// store the tkt in cache
krb5_creds in_creds, out_creds;
memset(&in_creds, 0, sizeof(in_creds));

err = krb5_parse_name(k5Context, user, &user_princ); // user = userone at
err = krb5_parse_name(k5Context, spn, &server_princ); // spn = "HOST/ at TEST.DOMAIN.COM

in_creds.client = user_princ;
in_creds.server = server_princ;

// start TGS exchange
err = krb5_get_credentials(k5Context, KRB5_GC_NO_STORE, k5Cache, &in_creds, &out_creds); <====== This is where I get 'Cannot contact any realm' error and fails out.
err = krb5_decode_ticket(&out_creds->ticket, &tkt);
err = krb5_kt_default(k5Context, &keytab);
err = krb5_kt_get_entry(k5Context, ..., ktkEntry);
err = krb5_decrypt_tkt_part(k5Context, &tktEntry.key, tkt);

My krb5.conf 

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = TEST.DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true



  default_tkt_enctypes = arcfour-hmac des-cbc-md5
  kdc =
  admin_server = 



Thanks, eskay

More information about the krbdev mailing list