System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

PAM-Kerberos setup: cannot find KDC for requested realm while getting initial credentials

Patrick_VDV
Occasional Visitor

PAM-Kerberos setup: cannot find KDC for requested realm while getting initial credentials

We are trying to setup AD authentication to W2008 and W2012 DC/KDCs with following software:

 

  • PAM-Kerberos D.01.26 PAM-Kerberos Version 1.26
  • krb5client E.1.6.2.10 Kerberos V5 Client Version 1.6.2.10
  • HPUX11i-VSE-OE B.11.31.1303 HP-UX Virtual Server Operating Environment

 

And following specs:

  • HP-UX Client name: B04-VSP6
  • DC/KDCs: mut0138wi.mgt.adms/nrbnrw0251.mgt.adms/mut0137wi.mgt.adms/nrbnrw0252.mgt.adms
  • KRB REALM: MGT.ADMS
  • DNS domain; nrb.be
  • user logon: a0p99999

 

We have configured:

  • the UPN in AD & created keytab file
  • ldapux (w/ proxy user). ldapcinfo checks pass and ldapsearch with personal credentials works too (bind==OK)
  • /etc/krb5.conf & /etc/krb5.keytab
  • /etc/pam.conf & /etc/nsswitch.conf for LDAP auth
  • /etc/opt/ssh/sshd_config for KRB auth

 

However when requesting a kerberos ticket we get:

  1. kinit -v -kt /etc/krb5.keytab : kinit(v5): Cannot find KDC for requested realm while getting initial credentials
  2. kinit -v -kt /etc/krb5.keytab host/B04-VSP6@MGT.ADMS : works
  3. kinit -v -kt /etc/krb5.keytab a0p99999 : works

 

pamkrbval shows:

 

root@B04-VSP6:/tmp # pamkrbval -v -a ia64

Validating the pam configuration files
 ---------- --- --- ------------- -----
Validating the /etc/pam.conf file

[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf

[PASS] : The validation of config file: /etc/pam.conf passed
[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
 as libpam_updbe library is not configured


Validating the kerberos config file
 ---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed


Connecting to default Realm
 ---------- -- ------- -----

[LOG] : The default realm is : MGT.ADMS
[LOG] : KDC hosts for realm MGT.ADMS :nrbnrw0251.MGT.ADMS
[LOG] : Trying to contact KDC for realm MGT.ADMS...
[LOG] : Realm MGT.ADMS is answering ticket requests
[PASS] : Default Realm is issuing tickets


Validating the keytab entry for the host service principal
 ---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host B04-VSP6, aka B04-VSP6.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
[LOG] : Key table entry not found while getting the keytab entry from /etc/krb5.keytab
[LOG] : Checking whether host service principal is present on the KDC
[LOG] : Pinging KDC to verify whether host/b04-vsp6@ exists
[WARNING] : host/b04-vsp6@ found on KDC but not found in keytab file
[WARNING] : The keytab validation had warnings


Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

 

 

When attempting a SSH/Telnet logon, PAM debug shows:

 

Oct 28 09:59:24 B04-VSP6 sshd[17351]: pam_authenticate: error Authentication failed

Oct 28 09:59:24 B04-VSP6 sshd[17351]: PAM_LDAP auth-bind got HP_LDAP_NOTFOUND

 

Network traces doing the different the kinit/pamkrbval shows that:

  • pamkrbval: hostname (FQHN) is not passed to the KDC in the packets
  • kinit -v -kt /etc/krb5.keytab host/B04-VSP6@MGT.ADMS : hostname (FQHN) is correctly passed to the KDC in the packets

 

the /etc/krb5.conf looks like:

 

[libdefaults]
 default_realm = MGT.ADMS
 default_tgs_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5
 default_tkt_enctypes = DES-CBC-CRC RC4-HMAC DES-CBC-MD5
 dns_lookup_kdc = false
 dns_lookup_realm = false
 ccache_type = 2
 rdns = false

[realms]
 MGT.ADMS = {
 kdc = nrbnrw0251.MGT.ADMS:88
 kdc = nrbnrw0252.MGT.ADMS:88
 kdc = mut0137wi.MGT.ADMS:88
 kdc = mut0138wi.MGT.ADMS:88
 kpasswd_server = nrbnrw0251.MGT.ADMS:464
 admin_server = nrbnrw0251.MGT.ADMS:749
 }

[domain_realm]
 .nrb.be = MGT.ADMS

[logging]
 kdc = FILE:/var/adm/krb5kdc.log
 admin_server = FILE:/var/adm/kadmin.log
 default = FILE:/var/adm/krb5lib.log

the /etc/krb5.keytab:

# klist -tk /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
  15 01/01/70 01:00:00 host/B04-VSP6@MGT.ADMS

 

Any help is much appreciated because we have been running around in circles for days.