Problem: Kinit unable to reach any KDC in realm

Christian_Voelker · April 23, 2019, 1:46pm

Problem: Kinit unable to reach any KDC in realm

root@master:~# kinit Administrator
Administrator@MULTI.UCS's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm MULTI.UCS

Investigation& Solution

Step 1

Re-set the Kerberos configuration file and check the file’s content and make sure it points to localhost (127.0.0.1).

root@master:~# ucr commit /etc/krb5.conf
root@master:~# cat /etc/krb5.conf
[...]
[realms]
MULTI.UCS = { 
	acl_file = /var/lib/heimdal-kdc/kadmind.acl
	kdc = 127.0.0.1
	admin_server = master.multi.ucs
	kpasswd_server = 127.0.0.1
}

MULTI = { 
	kdc = 127.0.0.1
	admin_server = master.multi.ucs
	default_domain = multi.ucs
}
[kdc]
hdb-ldap-create-base = cn=kerberos,dc=multi,dc=ucs
v4-realm = MULTI.UCS

[kadmin]
	v4-realm = MULTI.UCS
database = {
	label = {
		acl_file = /var/lib/heimdal-kdc/kadmind.acl
		dbname = ldap:dc=multi,dc=ucs
		realm = MULTI.UCS

		log_file = /var/log/heimdal-database.log
		mkey_file = /var/heimdal/m-key
	}
}

Step 2

Verify DNS resolution.
If the below command output does not look similar to the below shown, troubleshoot DNS settings.

root@master:~# ucr commit /etc/resolv.conf
root@master:~# systemctl restart bind9
root@master:~# host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)." 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

_domaincontroller_master._tcp.multi.ucs has SRV record 0 0 0 master.multi.ucs.

Step 3

There might be an invalid entry in your DNS configuration. Check by querying the domain information:

root@ucs:~# host -la multi.ucs

Trying "multi.ucs"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14472
;; flags: qr aa ra; QUERY: 1, ANSWER: 93, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;multi.ucs.                      IN      AXFR

;; ANSWER SECTION:
multi.ucs.               10800   IN      SOA     ucsmulti.ucs. root.multi.ucs. 154 28800 7200 604800 3600
[...]
*.multi.ucs.             900     IN      NS      dns1.provider.net.

Here, the customer tried to forward all not configured hostnames to an external DNS server. This is not going to work due to the architecture of DNS.
Instead, sync the external entries with the internal ones manually.

Step 4

If Samba is installed check Samba settings.
Make sure interfaces/primary is set when samba/interfaces/bindonly is set to “yes”.

root@master:~# ucr dump| grep -E "samba/interfaces|interfaces/primary"
interfaces/primary: ens192
samba/interfaces/bindonly: yes
samba/interfaces: lo <interfaces/primary>

After you made any change to the above variables restart Samba by:

root@master:~#  /etc/init.d/samba restart

Step 5

Make sure heimdal-kdc service is running on als host NOT having Samba installed:
systemctl start heimdal-kdc
Verify by

root@ucs-slave:~# ps ax | grep heimdal
19831 pts/10   S+     0:00 grep heimdal
29181 ?        S      0:00 /usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf
29186 ?        S      0:00 /usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf
29196 ?        S      0:00 /usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf

Make sure the kpasswdd process is running on the master (when Samba is not installed):

root@ucs-master:~#  /usr/lib/heimdal-servers/kpasswdd &
root@ucs-master:~# ps ax | grep passwd
11611 pts/0    S      0:00 /usr/lib/heimdal-servers/kpasswdd