Intermittent DNS failures while sending TGS-REQ

Sri bskmohan at yahoo.com
Fri Sep 11 09:25:42 EDT 2020 

Hi,

Am trying to get a service ticket for a host based service and validate that using a keytab. The issue is that this is working sometimes and some times am observing 'Cannot contact any realm 'test.domain.com' while executing krb5_get_credentials() method. This error is not observed while sending AS-REQ. From the packet traces, I could see that AS-REQ/AS-REP without fail and the user is getting authenticated. Can anyone please share some pointers to resolve the issue?

Here is the psuedo code am using:

krb5_context k5Context;
krbt5_init_context(&k5Context);
...
// get initial tkts (for AS-REQ/AS-REP)
krb5_get_init_creds_password(k5Context,...); <========== Always passes
...

// store the tkt in cache
krb5_cc_default()
krb5_cc_initialize()
krb5_cc_store_cred()
...
krb5_creds in_creds, out_creds;
memset(&in_creds, 0, sizeof(in_creds));
...

err = krb5_parse_name(k5Context, user, &user_princ); // user = userone at test.domain.com
err = krb5_parse_name(k5Context, spn, &server_princ); // spn = "HOST/test-host.test.domain.com at TEST.DOMAIN.COM

in_creds.client = user_princ;
in_creds.server = server_princ;

// start TGS exchange
err = krb5_get_credentials(k5Context, KRB5_GC_NO_STORE, k5Cache, &in_creds, &out_creds); <====== This is where I get 'Cannot contact any realm' error and fails out.
err = krb5_decode_ticket(&out_creds->ticket, &tkt);
err = krb5_kt_default(k5Context, &keytab);
err = krb5_kt_get_entry(k5Context, ..., ktkEntry);
err = krb5_decrypt_tkt_part(k5Context, &tktEntry.key, tkt);

My krb5.conf 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]

 TEST.DOMAIN.COM = {

  default_tkt_enctypes = arcfour-hmac des-cbc-md5
  kdc = test.domain.com
  admin_server = test.domain.com 

 }


[domain_realm]
 test.domain.com = TEST.DOMAIN.COM 
 .test.domain.com = TEST.DOMAIN.COM 

Thanks, eskay

More information about the krbdev mailing list