Problem with kerberos kinit

[unknown_noob]

I'm setting up a Kerberos server and a DNS server for my project. At first, I didn't connect the Kerberos server with the DNS server and set it up by connecting to the internet. The Kerberos can create a ticket for a user I created through kadmin on the Kerberos server. After that, when I connect it to the DNS server, it returns an error

kinit: krb5_get_init_creds: unable to reach any KDC in realm FYP.NET.

Can someone help me, please? I really need help here. I have worked with this for about a week now.

 

[Crest]

It states that kinit can't reach any KDC. Either because it doesn't know how to, the connection is prevented or their is no running KDC to reach. FreeBSD includes an old but functional version of Heimdal a Kerberos implementation. Heimdal tries to read krb5.conf. If no krb5.conf is found it falls back to DNS based configuration looking for SRV records. If no SRV records are found a last ditch default hostname in the same domain is tried.

You can pass additional KDCs to try to kinit with the -a parameter for debugging. The handbook includes a sample krb5.conf and the SRV records to define for KDCs.

 

[Tahseen Jamal]

OS: FreeBSD 13
Installed kerberos

vim /etc/krb5.conf

  1 [libdefaults]
  2
  3  default_realm = STORM.COM
  4
  5  renew_lifetime = 7d
  6
  7  forwardable = true
  8
  9  ticket_lifetime = 24h
 10
 11  dns_lookup_realm = false
 12
 13  dns_lookup_kdc = false
 14
 15  default_ccache_name = /tmp/krb5cc_%{uid}
 16
 17 [realms]
 18  STORM.COM = {
 19     kdc = kerberos.storm.com       # even tried kdc = tcp/kerberos.storm.com:88
 20     admin_server = kerberos.storm.com
 21 }
 22
 23 [logging]
 24  kdc = FILE:/var/log/krb5kdc.log
 25  admin_server = FILE:/var/log/kadmin.log
 26  default = FILE:/var/log/krb5lib.log

/etc/resolv.conf

1 # Generated by resolvconf
2 nameserver 8.8.8.8
3 nameserver 8.8.1.1

/etc/hosts

  1 127.0.0.1   localhost   localhost.my.domain
  2
  3 192.168.1.208   kerberos    kerberos.storm.com

added principal host/kerberos.storm.com and also krbtest

But when I try to do kinit

❯ kinit krbtest
krbtest@STORM.COM's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm STORM.COM

I can ping and reach out to kerberos.storm.com
telnet to port 88 is also working and connecting

 

[covacat]

look with tcpdump
if there are any requests to server:88
i did a quick test and DNS seems to be required regardless of
dns_lookup_realm = false
dns_lookup_kdc = false
if i put kerberos.REALM in dns it tries to connect to kerberos.REALM:88
otherwise fails after failed dns lookup

 

[Tahseen Jamal]

covacat
Can you explain what do you mean by "put kerberos.REALM" in dns ?

 

[covacat]

add an A record for kerberos.mydomain.com (REALM is mydomain.com)

 

[Tahseen Jamal]

Which basically means I have to set up local DNS server ?

 

[covacat]

Which basically means I have to set up local DNS server ?

looks that way
I'm not sure there are no workarounds

 

[SirDice]

Are the kdc(8), kadmind(8) and kpasswdd(8) services actually running on the Kerberos host?

You're also missing the [domain_realm] in your krb5.conf:

[domain_realm]
  storm.com = STORM.COM
  .storm.com = STORM.COM

 

[Tahseen Jamal]

SirDice
All 3 services running and I also added the domain_realm now
still it throws the same error as if it is not able to reach kerberos.storm.com
I am observing that it takes time when I kinit as if it is search for the domain

 

[covacat]

probably anything that answers the dns requests will work
i use bind but i assume anything will work if it gets to answer the request

 

[Tahseen Jamal]

covacat So I setup local_unbound and in the forward.conf I added entry to resolve the domain

  1 # This file was generated by local-unbound-setup.
  2 # Modifications will be overwritten.
  3 local-data: "kerberos.storm.com. IN A 192.168.1.209"
  4 local-data: "storm.com. IN A 192.168.1.209"
  5
  6 forward-zone:
  7     name: .
  8     forward-addr: 1.1.1.1

Now the domain is being resolved with

❯ drill -s kerberos.storm.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44531
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; kerberos.storm.com.    IN    A

;; ANSWER SECTION:
kerberos.storm.com.    3600    IN    A    192.168.1.209

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Mar  2 15:30:50 2022
;; MSG SIZE  rcvd: 52

but still if there is an issue, although now different

❯ kinit krbtest
krbtest@STORM.COM's Password:
kinit: krb5_get_init_creds: Client (krbtest@STORM.COM) unknown

even when the user krbtest is added as principal

 

[Tahseen Jamal]

So I found that even when Kerberos is set and the database folder is /usr/local/var/krb5kdc/

The kdc is trying to fetch credentials from /var/heimdal/heimdal

Below is the log of krb5kdc.log

2022-03-02T19:35:41 KDC started
2022-03-02T19:35:59 AS-REQ [email]krbtest@STORM.COM[/email] from IPv4:192.168.1.209 for krbtgt/[email]STORM.COM@STORM.COM[/email]
2022-03-02T19:35:59 Failed to open database: dbopen (/var/heimdal/heimdal): No such file or directory
2022-03-02T19:35:59 UNKNOWN -- [email]krbtest@STORM.COM[/email]: no such entry found in hdb

Why is it searching user in the wrong path / folder ?

 

[T-Daemon]

I had difficulties to configure kerberos with security/heimdal as well, that's what I understood when you said

Installed kerberos

Please correct me if I'm wrong.

What worked for me was using heimdal from system base.

If you insist on port heimdal, try to configure the database path in /var/heimdal/kdc.conf

 

[SirDice]

the database folder is /usr/local/var/krb5kdc/

That doesn't look correct.

Make sure you're not mixing up security/krb5, security/heimdal and the kdc(8) that comes with the base OS. The kerberos that comes with the base OS is a version of Heimdal. You can also install this as a port, which is slightly newer but more importantly you can turn features on or off. The security/krb5 is an entirely different Kerberos implementation.

 

[Tahseen Jamal]

You are correct SirDice

I was running kdc whereas I initialized database using kdb5_util, which is for krb5kdc and when tried kinit, it was searching for Heimdal

So now sorted. I tested both Heimdal and MIT Kerberos

kdc for Heimdal and database initialization using kadmin but interesting part is that covacat was right. When using Heimdal, you cannot use /etc/hosts file for domain mapping. You would have to explicitly use local_unbound DNS service. Which I found very easy and simply to use

whereas MIT Kerberos after krb5 installation, service krb5kdc and kdb5_util for database. you can use /etc/hosts or local_unbound for mapping

 

[dpemmons]

This is an old thread but I came across when searching for my issue, wherein like the OP I am attempting to run kinit on a network that does not use a local DNS server but rather names the kdc server (and others) in /etc/hosts. Using the base heimdal in 14.1 I too get the dreaded error:

kinit: krb5_get_init_creds: unable to reach any KDC in realm LOCAL

My krb5.conf:

[libdefaults]
    default_realm = LOCAL
[realms]
    LOCAL = {
        kdc = freebsd-kdc.local
        admin_server = freebsd-kdc.local
    }
[domain_realm]
    local = LOCAL

I learned two useful things.

First, you can enable debug output with the following additional section:

[logging]
    krb5 = STDERR

Second, the base heimdal libraries append a trailing dot (.) to domains to make them fully qualified, before calling getaddrinfo(3). Thus if /etc/hosts doesn't fully qualify the domain it won't resolve. I needed to do the following in /etc/hosts. Note the trailing dot.

192.168.1.173           freebsd-kdc.local. freebsd-kdc.local freebsd-kdc

Hopefully this helps whoever comes next.