{"id":1682,"date":"2017-01-11T14:35:36","date_gmt":"2017-01-11T19:35:36","guid":{"rendered":"http:\/\/osric.com\/chris\/accidental-developer\/?p=1682"},"modified":"2017-01-12T18:29:55","modified_gmt":"2017-01-12T23:29:55","slug":"error-cannot-contact-any-kdc-for-realm-while-getting-initial-credentials","status":"publish","type":"post","link":"https:\/\/osric.com\/chris\/accidental-developer\/2017\/01\/error-cannot-contact-any-kdc-for-realm-while-getting-initial-credentials\/","title":{"rendered":"Error: Cannot contact any KDC for realm while getting initial credentials"},"content":{"rendered":"<p>I&#8217;ve been testing <a href=\"https:\/\/www.freeipa.org\/\">FreeIPA<\/a> on a small network of <a href=\"https:\/\/www.centos.org\/\">CentOS<\/a> 7 hosts (all virtual machines running in <a href=\"https:\/\/www.virtualbox.org\/wiki\/VirtualBox\">VirtualBox<\/a> on a host-only network). After installing the IPA server on one host and creating the realm (IPA.OSRIC.NET), I installed the IPA client on one of the other hosts and tried running <code>kinit<\/code>:<\/p>\n<p><code># kinit admin<br \/>\nkinit: Cannot contact any KDC for realm 'IPA.OSRIC.NET' while getting initial credentials<\/code><\/p>\n<p>Searching for that error brought me to <a href=\"http:\/\/serverfault.com\/questions\/166768\/kinit-wont-connect-to-a-domain-server-realm-not-local-to-kdc-while-getting-in\">Kinit won&#8217;t connect to a domain server<\/a>. Although that did not describe the same issue, it did point me to the <code>\/etc\/krb5.conf<\/code> file. The <code>realms<\/code> section looked like it was missing something:<\/p>\n<pre><code>[realms]\r\n  IPA.OSRIC.NET = {\r\n    pkinit_anchors = FILE:\/etc\/ipa\/ca.crt\r\n\r\n  }<\/code><\/pre>\n<p>I added a <code>kdc<\/code> attribute:<\/p>\n<pre><code>[realms]\r\n  IPA.OSRIC.NET = {\r\n    kdc = prospero.osric.net:88\r\n    pkinit_anchors = FILE:\/etc\/ipa\/ca.crt\r\n \r\n  }<\/code><\/pre>\n<p>No restart of any service was necessary. I ran kinit again and it worked:<\/p>\n<p><code># kinit admin<br \/>\nPassword for admin@IPA.OSRIC.NET:<\/code><\/p>\n<p>According to the <a href=\"http:\/\/web.mit.edu\/Kerberos\/krb5-1.12\/doc\/admin\/conf_files\/krb5_conf.html#realms\">krb5.conf documentation on realms<\/a>:<\/p>\n<blockquote><p><strong>kdc<\/strong><br \/>\nThe name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included.<\/p><\/blockquote>\n<p>I&#8217;m a Kerberos novice, but that seems like a necessary property. I&#8217;m not sure why the IPA client setup did not include it. I have a few more virtual machines to install the client on, so I&#8217;ll soon find if that behavior is consistent on subsequent installations.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A FreeIPA client machine fails to contact a KDC realm when running kinit. It turns out, no kdc was defined in the krb5.conf file. Once that was defined, kinit was successful.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[422],"tags":[414,415,417,418,419,420,421],"class_list":["post-1682","post","type-post","status-publish","format-standard","hentry","category-sysadmin","tag-centos","tag-centos-7","tag-freeipa","tag-kerberos","tag-kinit","tag-realm","tag-virtualbox"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=1682"}],"version-history":[{"count":5,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1682\/revisions"}],"predecessor-version":[{"id":1688,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1682\/revisions\/1688"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=1682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=1682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=1682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}