Folks,
I'm trying to track down a kerberos weirdness and would appreciate some help.
I'm using a krb5.conf from my production RHEL5 machines in f11 which is set to lookup the KDC's using DNS for the EOS.NCSU.EDU realm. A kinit -5 <username> returns the following:
kinit(v5): Cannot resolve network address for KDS in realm EOS.NCSU.EDU while getting initial credentials
If I turn on the nscd daemon the above kinit command works as expected and I have tickets. Turn nscd off, and the above error returns.
I've strace'd kinit and I see it pulling down the KDC DNS names but I can't figure out what is happening to produce the error. Thoughts?
Jack Neely
On 06/30/2009 09:13 PM, Jack Neely wrote:
kinit(v5): Cannot resolve network address for KDS in realm
3 things on the top of me rusty head..
First broken dns setup make sure you can just test it with usual lookups procedures...
Second Different domains for KDC and LDAP client
Try mapping the FQDN ldap domain name with the kdc domain name in etc/krb5.conf.
[domain_realm] .fqdn.forldap.nscu.edu =eos.nscu.edu
Thirdly try adding “single-request” to the options in /etc/resolv.conf #Just some recently made changes I keep in the back of my head
+Boost up the loglevel in ncsd and see if it spits out something useful..
Add these lines to enable nscd logging /etc/nscd.conf logfile /var/log/nscd.log # note you need to create the file first.. debug-level 10
Start with this I'm going to see if I can duplicate this @ work tomorrow...
JBG
On Tue, Jun 30, 2009 at 10:23:39PM +0000, "Jóhann B. Guðmundsson" wrote:
On 06/30/2009 09:13 PM, Jack Neely wrote:
kinit(v5): Cannot resolve network address for KDS in realm
3 things on the top of me rusty head..
First broken dns setup make sure you can just test it with usual lookups procedures...
I can pull the srv records with dig using an any request. The results from the f11 box are exactly the same as my RHEL 5 machine right beside it.
Second Different domains for KDC and LDAP client
I'm not using an Active Directory. User information comes from LDAP using posixAccount schema. So I don't see how this comes into play.
Try mapping the FQDN ldap domain name with the kdc domain name in etc/krb5.conf.
[domain_realm] .fqdn.forldap.nscu.edu =eos.nscu.edu
Thirdly try adding “single-request” to the options in /etc/resolv.conf #Just some recently made changes I keep in the back of my head
+Boost up the loglevel in ncsd and see if it spits out something useful..
I see it pruning the actual host names of the krb servers. This agrees with my stracing...kinit is finding the KDCs in both cases. Its just not happy with nscd.
Jack