Kinit Connection Issues – Realm Not Local to KDC While Getting Initial Credentials

active-directorykerberoskinitlinux

I am setting up a testbed environment where Linux (Ubuntu 10.04) clients will authenticate to a Windows Server 2008 R2 Domain Server.

I am following the official Ubuntu guide to set up a Kerberos client here: https://help.ubuntu.com/community/Samba/Kerberos, but I have encountered a problem when running the kinit command to connect to the domain server.

The command I am running is: kinit Administrator@DS.DOMAIN.COM. This command returns the following error:

Realm not local to KDC while getting initial credentials. Unfortunately, I cannot find any one else via Google searches that have experienced this exact error, so I have no idea what it means.

The client is able to ping the server's hostname, so the DNS server is pointing to the domain server.

Below is my krb5.conf file:

[libdefaults]
default = DS.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc true

[realms]
    DS.DOMAIN.COM = {
        kdc = ds.domain.com:88
        admin_server = ds.domain.com
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

How can I correct these errors? I would greatly appreciate all help I can get!

Best Answer

Is your domain name DS.DOMAIN.COM or just DOMAIN.COM ?

In your realms you need to have them match, so assuming that DS.DOMAIN.COM is your domain you need to change:

[domain_realm]
    .domain.com = DS.DOMAIN.COM
    domain.com = DS.DOMAIN.COM

[domain_realm]
    .ds.domain.com = DS.DOMAIN.COM
    ds.domain.com = DS.DOMAIN.COM

However, if you domain is really DOMAIN.COM you would need to change your krb5.conf to look like:

[libdefaults]
default = DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
    DOMAIN.COM = {
        kdc = ds.domain.com:88
        #You can have more than one kds, just keep adding more kdc =
        #entries
        #kdc = dsN.domain.com:88
        #Uncomment if you have a krb admin server
        #admin_server = ds.domain.com:749
        default_domain = domain.com
    }

[domain_realm]
    .domain.com = DOMAIN.COM
    domain.com = DOMAIN.COM

And then you would kinit like so: kinit Administrator@DOMAIN.COM

Related Solutions

How to Change the Kerberos Default Ticket Lifetime

Turns out that I also had to change the "maxlife" parameter for the service principal as well. Specifically, I had to do "modprinc -maxlife 14hours krbtgt/[REALM_in_CAPS]" to get the lifetime increased to 14 hours.

To sum up, the ticket lifetime is the minimum of the following values:

max_life in kdc.conf on the KDC servers.
ticket_lifetime in krb5.conf on the client machine.
maxlife for the user principal.
maxlife for the service principal "krbtgt/[REALM_in_CAPS]" => What I had missed!
requested lifetime in the ticket request. For example:
- k5start -l 14h
- kinit -l 14h
maxlife for the AFS service principal "afs/[realm_in_lower_case]", if you want to increase the lifetime of your AFS token.

Mystery solved!

Redhat – RHEL 5.8 Kerberos Active Directory Windows 2003 Server SP2

When using kinit with a keytab it in necessary to provide the principle you wish to authenticate as. This is probably because keytabs can contain more than one principle.

[root@dhcp2 ~]# kinit -k
kinit(v5): Cannot resolve network address for KDC in realm  while getting initial credentials
[root@dhcp2 ~]# kinit -k  host/dhcp2.domain.tld
[root@dhcp2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/dhcp2.domain.tld@DOMAIN.TLD

Valid starting     Expires            Service principal
07/29/12 19:27:49  07/30/12 07:27:49  krbtgt/DOMAIN.TLD@DOMAIN.TLD
        renew until 07/30/12 19:27:49


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Best Answer

Related Solutions

How to Change the Kerberos Default Ticket Lifetime

Redhat – RHEL 5.8 Kerberos Active Directory Windows 2003 Server SP2

Related Topic