Error: Cannot contact any KDC for realm while getting initial credentials

I’ve been testing FreeIPA on a small network of CentOS 7 hosts (all virtual machines running in VirtualBox on a host-only network). After installing the IPA server on one host and creating the realm (IPA.OSRIC.NET), I installed the IPA client on one of the other hosts and tried running kinit:

# kinit admin
kinit: Cannot contact any KDC for realm 'IPA.OSRIC.NET' while getting initial credentials

Searching for that error brought me to Kinit won’t connect to a domain server. Although that did not describe the same issue, it did point me to the /etc/krb5.conf file. The realms section looked like it was missing something:

[realms]
  IPA.OSRIC.NET = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

I added a kdc attribute:

[realms]
  IPA.OSRIC.NET = {
    kdc = prospero.osric.net:88
    pkinit_anchors = FILE:/etc/ipa/ca.crt
 
  }

No restart of any service was necessary. I ran kinit again and it worked:

# kinit admin
Password for admin@IPA.OSRIC.NET:

According to the krb5.conf documentation on realms:

kdc
The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included.

I’m a Kerberos novice, but that seems like a necessary property. I’m not sure why the IPA client setup did not include it. I have a few more virtual machines to install the client on, so I’ll soon find if that behavior is consistent on subsequent installations.

One thought on “Error: Cannot contact any KDC for realm while getting initial credentials”

  1. ipa-client-install normally tries to determine the kdc servers via DNS. Since I had not configured SRV records for _ldap._tcp.ipa.osric.net or _ldap._tcp.osric.net, the installer found no kdc servers.

    As the man page for ipa-client-install indicates:

    If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure.

    And for the --server option:

    When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured.

    On a subsequent install, I specified the domain and server:
    ipa-client-install --domain ipa.osric.net --server propsero.osric.net

    That worked, and added several additional lines to the realms definition:

    [realms]
      IPA.OSRIC.NET = {
        kdc = prospero.osric.net:88
        master_kdc = prospero.osric.net:88
        admin_server = prospero.osric.net:749
        kpasswd_server = prospero.osric.net:464
        default_domain = ipa.osric.net
        pkinit_anchors = FILE:/etc/ipa/ca.crt
      }

Leave a Reply

Your email address will not be published. Required fields are marked *