February 9

Linux: kinit: Cannot contact any KDC for realm while getting initial credentials

The error “kinit: Cannot contact any KDC for realm while getting initial credentials” means that you are not resolving the name
There is probably one of two problems; 1) your configuration in /etc/krb5.conf is not correct 2) your computer is not resolving the domain controller.

KRB5_TRACE=/dev/stdout kinit username #May help you troubleshoot

In my case a simple “ping” of the domain controller directed me that my computer was not getting the name resolution for the domain controller.
Initial I hard coded the name in the /etc/hosts file to be able to get things working

Here is an example of a good krb5.conf file. (Please note that as of this writing capitalization is important):

[libdefaults]
ticket_lifetime = 24000
default_realm = YOURDOMAIN.LOCAL
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt__enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes

[realms]
YOURDOMAIN.LOCAL = {
kdc = DC1.YOURDOMAIN.LOCAL:88
default_domain = YOURDOMAIN.LOCAL
}

[domain_realm]
.YOURDOMAIN.LOCAL= YOURDOMAIN.LOCAL
YOURDOMAIN.LOCAL = YOURDOMAIN.LOCAL

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

Posted February 9, 2017 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B View all posts by Timothy Conrad