[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems finding KDC (was: KDC not found even after connection wasmade)


Dear all,

after weeks I didn't get a valuable solution to my problem cited bellow.
But doing some more research on this I have some new information to this
problem. Hopefully, someone will have the right answer ....

1. no changes in this with respect to latest snapshots and it is not
ssl-version related problem

2. KDC is on Irix 6.5.20. Clients from the same machine, another Irix
6.5.20 machine and SUSE Linux are working well (test: getting tickets via
kinit). Clients and server are with no krb4 support.

3. KDC is on Irix 6.5.20. Clients from Tru64Unix 5.1a are not working (the
same test, the same /etc/krb5.conf ends up with the following message:
"kinit: krb5_get_init_creds: unable to reach any KDC in realm X.Y.Z") if
client, server or both are with no krb4 support (situation A). In contrary
to this, if both client and server have krb4 support (situation B),
everything seems to work without errors. But in this case, I am getting
krb4-tickets, not krb5-tickets.

Analyzing the situation A using truss and par I am going to the following
conclusion: client calls connect() with the right destination address and
send() with the initial data, but kdc never knows about this connection.
The same is true for all three tru64unix boxes I had opportunity to test.
There are no firewalls, no tcp_wrappers settings for this. It seems
something prevents to generate network connections from the clients the
way heimdal tries on this operating system. Other systems are working well
so it seems really strange and probably some OS-related bug is at stake,
not the heimdal itself at the bottom.

I hope there is someone on the list who is able at least to reproduce this
problem or better to do a cleverer analysis what happens in this
situation.

The history of the problem can be seen in this list archive in the thread
http://www.stacken.kth.se/lists/heimdal-discuss/2003-10/msg00040.html

Thanks in advance,

  David Komanek


---------- Original message ----------
Date: Mon, 13 Oct 2003 14:00:46 +0200 (CEST)
From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
To: heimdal-discuss@sics.se
Subject: KDC not found even after connection was made


Hi all,

I ha the following problem:

heimdal utilities as kinit, kadmin, ktutil etc. are working well when
invoked on the same machine as kdc and kadmind run. I have copied the
m-key and krb5.config files to the future slave server. Now I should,
according to documentation, issue "ktutil get" command to create keytab
file with appropriate host entry on the slave. But it complains

ktutil: kadm5_create_principal(host/tao.natur.cuni.cz): unable to reach
any KDC in realm MYREALM.CZ

But in contrast to this, on the master I have in logfile:

2003-10-13T13:46:18 connection from IPv4:a.b.c.d

where a.b.c.d is the IP of the machine claiming it is unable to find KDC.
No more messages in logs.

My relevant krb5.config settings:

[logging]
default = FILE:/var/heimdal/krb5libs.log
kdc = FILE:/var/heimdal/krb5kdc.log
admin_server = FILE:/var/heimdal/kadmind.log

[ktutil]
        dns_lookup_realm = false
        dns_lookup_kdc = false
        kdc = e.f.g.h

I do not use dns_lookup because I still concurently use krb4 and want not
to risk problems emerging from mixed krb4 and heimdal communication.

Do you have some ideas, what is wrong ? Could be the problem different
architecture (littleendian/bigendian) of both machines ? Or the ssl
version used (master - internal functions of heimdal, slave - openssl
0.9.7c) ?

Thanks in advance,

  David Komanek