Problem with kerberos kinit

I'm setting up a Kerberos server and a DNS server for my project. At first, I didn't connect the Kerberos server with the DNS server and set it up by connecting to the internet. The Kerberos can create a ticket for a user I created through kadmin on the Kerberos server. After that, when I connect it to the DNS server, it returns an error
Code:
kinit: krb5_get_init_creds: unable to reach any KDC in realm FYP.NET.

Can someone help me, please? I really need help here. I have worked with this for about a week now.
 
It states that kinit can't reach any KDC. Either because it doesn't know how to, the connection is prevented or their is no running KDC to reach. FreeBSD includes an old but functional version of Heimdal a Kerberos implementation. Heimdal tries to read krb5.conf. If no krb5.conf is found it falls back to DNS based configuration looking for SRV records. If no SRV records are found a last ditch default hostname in the same domain is tried.

You can pass additional KDCs to try to kinit with the -a parameter for debugging. The handbook includes a sample krb5.conf and the SRV records to define for KDCs.
 
OS: FreeBSD 13
Installed kerberos

vim /etc/krb5.conf
Code:
  1 [libdefaults]
  2
  3  default_realm = STORM.COM
  4
  5  renew_lifetime = 7d
  6
  7  forwardable = true
  8
  9  ticket_lifetime = 24h
 10
 11  dns_lookup_realm = false
 12
 13  dns_lookup_kdc = false
 14
 15  default_ccache_name = /tmp/krb5cc_%{uid}
 16
 17 [realms]
 18  STORM.COM = {
 19     kdc = kerberos.storm.com       # even tried kdc = tcp/kerberos.storm.com:88
 20     admin_server = kerberos.storm.com
 21 }
 22
 23 [logging]
 24  kdc = FILE:/var/log/krb5kdc.log
 25  admin_server = FILE:/var/log/kadmin.log
 26  default = FILE:/var/log/krb5lib.log

/etc/resolv.conf
Code:
1 # Generated by resolvconf
2 nameserver 8.8.8.8
3 nameserver 8.8.1.1
/etc/hosts
Code:
  1 127.0.0.1   localhost   localhost.my.domain
  2
  3 192.168.1.208   kerberos    kerberos.storm.com

added principal host/kerberos.storm.com and also krbtest

But when I try to do kinit

Code:
❯ kinit krbtest
krbtest@STORM.COM's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm STORM.COM

I can ping and reach out to kerberos.storm.com
telnet to port 88 is also working and connecting
 
look with tcpdump
if there are any requests to server:88
i did a quick test and DNS seems to be required regardless of
dns_lookup_realm = false
dns_lookup_kdc = false
if i put kerberos.REALM in dns it tries to connect to kerberos.REALM:88
otherwise fails after failed dns lookup
 
Are the kdc(8), kadmind(8) and kpasswdd(8) services actually running on the Kerberos host?

You're also missing the [domain_realm] in your krb5.conf:
Code:
[domain_realm]
  storm.com = STORM.COM
  .storm.com = STORM.COM
 
SirDice
All 3 services running and I also added the domain_realm now
still it throws the same error as if it is not able to reach kerberos.storm.com
I am observing that it takes time when I kinit as if it is search for the domain
 
probably anything that answers the dns requests will work
i use bind but i assume anything will work if it gets to answer the request
 
covacat So I setup local_unbound and in the forward.conf I added entry to resolve the domain
Code:
  1 # This file was generated by local-unbound-setup.
  2 # Modifications will be overwritten.
  3 local-data: "kerberos.storm.com. IN A 192.168.1.209"
  4 local-data: "storm.com. IN A 192.168.1.209"
  5
  6 forward-zone:
  7     name: .
  8     forward-addr: 1.1.1.1

Now the domain is being resolved with

Code:
❯ drill -s kerberos.storm.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 44531
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; kerberos.storm.com.    IN    A

;; ANSWER SECTION:
kerberos.storm.com.    3600    IN    A    192.168.1.209

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Mar  2 15:30:50 2022
;; MSG SIZE  rcvd: 52

but still if there is an issue, although now different

Code:
❯ kinit krbtest
krbtest@STORM.COM's Password:
kinit: krb5_get_init_creds: Client (krbtest@STORM.COM) unknown

even when the user krbtest is added as principal
 
So I found that even when Kerberos is set and the database folder is /usr/local/var/krb5kdc/

The kdc is trying to fetch credentials from /var/heimdal/heimdal

Below is the log of krb5kdc.log

Code:
2022-03-02T19:35:41 KDC started
2022-03-02T19:35:59 AS-REQ [email]krbtest@STORM.COM[/email] from IPv4:192.168.1.209 for krbtgt/[email]STORM.COM@STORM.COM[/email]
2022-03-02T19:35:59 Failed to open database: dbopen (/var/heimdal/heimdal): No such file or directory
2022-03-02T19:35:59 UNKNOWN -- [email]krbtest@STORM.COM[/email]: no such entry found in hdb

Why is it searching user in the wrong path / folder ?
 
the database folder is /usr/local/var/krb5kdc/
That doesn't look correct.

Make sure you're not mixing up security/krb5, security/heimdal and the kdc(8) that comes with the base OS. The kerberos that comes with the base OS is a version of Heimdal. You can also install this as a port, which is slightly newer but more importantly you can turn features on or off. The security/krb5 is an entirely different Kerberos implementation.
 
You are correct SirDice

I was running kdc whereas I initialized database using kdb5_util, which is for krb5kdc and when tried kinit, it was searching for Heimdal

So now sorted. I tested both Heimdal and MIT Kerberos :)

kdc for Heimdal and database initialization using kadmin but interesting part is that covacat was right. When using Heimdal, you cannot use /etc/hosts file for domain mapping. You would have to explicitly use local_unbound DNS service. Which I found very easy and simply to use

whereas MIT Kerberos after krb5 installation, service krb5kdc and kdb5_util for database. you can use /etc/hosts or local_unbound for mapping
 
This is an old thread but I came across when searching for my issue, wherein like the OP I am attempting to run kinit on a network that does not use a local DNS server but rather names the kdc server (and others) in /etc/hosts. Using the base heimdal in 14.1 I too get the dreaded error:
Code:
kinit: krb5_get_init_creds: unable to reach any KDC in realm LOCAL

My krb5.conf:
Code:
[libdefaults]
    default_realm = LOCAL
[realms]
    LOCAL = {
        kdc = freebsd-kdc.local
        admin_server = freebsd-kdc.local
    }
[domain_realm]
    local = LOCAL

I learned two useful things.

First, you can enable debug output with the following additional section:
Code:
[logging]
    krb5 = STDERR

Second, the base heimdal libraries append a trailing dot (.) to domains to make them fully qualified, before calling getaddrinfo(3). Thus if /etc/hosts doesn't fully qualify the domain it won't resolve. I needed to do the following in /etc/hosts. Note the trailing dot.
Code:
192.168.1.173           freebsd-kdc.local. freebsd-kdc.local freebsd-kdc

Hopefully this helps whoever comes next.
 
Back
Top