Kinit & pam_sss: Cannot find KDC for requested realm while getting initial credentials

active-directorykerberospamsssdwindows-server-2008-r2

I have a very similar problem as described in this thread on CentOS 6.3 authenticating against a 2008R2 AD DC.

Here is my krb5.conf, I know for a fact that XXXXXXX.LOCAL is the true domain name:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = XXXXXXX.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 verify_ap_req_nofail = false

[realms]
 XXXXXXX.LOCAL = {
 kdc = ad1.XXXXXXX.local
 kdc = ad2.XXXXXXX.local
 admin_server = ad1.XXXXXXX.local
 default_domain = XXXXXXX.LOCAL
}

[domain_realm]
 .XXXXXXX.local = XXXXXXX.LOCAL
 XXXXXXX.local = XXXXXXX.LOCAL
 .XXXXXXX.com = XXXXXXX.LOCAL
 XXXXXXX.com = XXXXXXX.LOCAL

When I do a:

kinit username@XXXXXXX.LOCAL

Everything works as intended, klist -e returns the details it should however when I try to:

su username

The sssd krb5_child.log shows the following:

[unpack_buffer] (0x0100): cmd [241] uid [10002] gid [10002] validate [false] offline [false] UPN [username@XXXXXXX.COM]
[unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_10002_XXXXXX] keytab: [/etc/krb5.keytab]
[krb5_child_setup] (0x0400): Will perform online auth
[krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
[krb5_child_setup] (0x0100): Not using FAST.
[get_and_save_tgt] (0x0400): Attempting kinit for realm [XXXXXXX.COM]
[get_and_save_tgt] (0x0020): 977: [-1765328230][Cannot find KDC for requested realm]
[kerr_handle_error] (0x0020): 1030: [-1765328230][Cannot find KDC for requested realm]
[prepare_response_message] (0x0400): Building response for result [-1765328230]
[main] (0x0400): krb5_child completed successfully

I also know that XXXXXXX.COM is an alias for XXXXXXX.LOCAL in the AD tree and that running:

kinit username@XXXXXXX.COM

produces exactly the same error as in the krb5_child.log

kinit: Cannot find KDC for requested realm while getting initial credentials

I've been banging my head against the wall for several days on this problem and would appreciate any pointers. 🙂

Best Answer

What you deal with is called enterprise principals. You have a single AD domain but users can have additional user principal names (UPN) associated, so in addition to XXXX.LOCAL they can have XXXX.COM and use user@XXXX.COM in place of user@XXXX.LOCAL.

SSSD does support enterprise principals starting with 1.10. There were few bugs in the implementation that affected 1.10 beta releases but they are solved prior to the final release which is available in Fedora 19+.

However, this change is not available in RHEL 6.x (or CentOS 6.x for that matter) since support for enterprise principals is relatively invasive and was not backported to 1.9.x.

You may be interested to look for details at https://bugzilla.redhat.com/show_bug.cgi?id=972357 and https://bugzilla.redhat.com/show_bug.cgi?id=924404

Related Solutions

Kinit Connection Issues – Realm Not Local to KDC While Getting Initial Credentials

Is your domain name DS.DOMAIN.COM or just DOMAIN.COM ?

In your realms you need to have them match, so assuming that DS.DOMAIN.COM is your domain you need to change:

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

[domain_realm]
    .ds.domain.com = DS.DOMAIN.COM
    ds.domain.com = DS.DOMAIN.COM

However, if you domain is really DOMAIN.COM you would need to change your krb5.conf to look like:

[libdefaults]
default = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
    DOMAIN.COM = {
        kdc = ds.domain.com:88
        #You can have more than one kds, just keep adding more kdc =
        #entries
        #kdc = dsN.domain.com:88
        #Uncomment if you have a krb admin server
        #admin_server = ds.domain.com:749
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DOMAIN.COM
    domain.com = DOMAIN.COM

And then you would kinit like so: kinit Administrator@DOMAIN.COM

Redhat – RHEL 5.8 Kerberos Active Directory Windows 2003 Server SP2

When using kinit with a keytab it in necessary to provide the principle you wish to authenticate as. This is probably because keytabs can contain more than one principle.

[root@dhcp2 ~]# kinit -k
kinit(v5): Cannot resolve network address for KDC in realm  while getting initial credentials
[root@dhcp2 ~]# kinit -k  host/dhcp2.domain.tld
[root@dhcp2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/dhcp2.domain.tld@DOMAIN.TLD

Valid starting     Expires            Service principal
07/29/12 19:27:49  07/30/12 07:27:49  krbtgt/DOMAIN.TLD@DOMAIN.TLD
        renew until 07/30/12 19:27:49


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Best Answer

Related Solutions

Kinit Connection Issues – Realm Not Local to KDC While Getting Initial Credentials

Redhat – RHEL 5.8 Kerberos Active Directory Windows 2003 Server SP2

Related Topic