LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Kerberos (MIT) clients cannot find administrative server through DNS. (https://www.linuxquestions.org/questions/linux-software-2/kerberos-mit-clients-cannot-find-administrative-server-through-dns-816684/)

MheAd 06-27-2010 05:20 PM
Kerberos (MIT) clients cannot find administrative server through DNS.
 
Hi guys,
This problem has taken me the whole Sunday and the only thing I've got left before start kicking my computer equipment is to ask you guys for help.

I have a problem on my client side of Kerberos. Basically, none of my clients is able to make a connection to kadmin using DNS SRV-records. Only if I use the relevant directives in the krb5.conf files - it works.

The Kerberos-related part of my DNS zone looks like this:

Code:
Please note, the $ORIGIN is my-domain.xx

_kerberos._udp.MY-DOMAIN.XX.                IN SRV 1 0 88  server
_kerberos._tcp.MY-DOMAIN.XX.                IN SRV 1 0 88  server
_kerberos-adm_tcp.MY-DOMAIN.XX.              IN SRV 1 0 749  server
_kpasswd._udp.MY-DOMAIN.XX.                  IN SRV 1 0 464  server

_kerberos                      IN TXT "MY-DOMAIN.XX"
As far as I can see there is no misconfiguration and the Bind doesn't complain either.


If I configure the basic krb5.conf file on one of my clients, containing only:
Code:
[libdefaults]
default_realm = MY-DOMAIN.XX
I was hoping that the client would look for KDC via DNS. And initally, when I try to login as a user principal, it appears to be working.
When writing the command:

kinit mhead/admin

It finds the KDC server. After typing in the password, after the successful authentication, I write:

kadmin

and get the following error:
Code:
Authenticating as principal mhead/admin@MY-DOMAIN.XX with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
What parameters? [libdefaults] is the only required parameter by Kerberos for a minimal configuration, and the Kerberos libraries would automatically use the DNS for lookup of the KDC / adm server etc.

If I add the [realm] stanza in the krb5.conf file containing
Code:
[realms]
MY-DOMAIN.XX = {
kdc = server.my-domain.xx:88
admin_server = server.my-domain.xx:749
default_domain = my-domain.xx
}
Then everything is works, I'm able to access administration server with no problems whatsoever.

The same problem happens on both virtual machines that I'm using as clients - a Debian and a CentOS, so it's not 'one-machine-problem-only'.

Something is weird regarding the adm server. I mean, without [realms] stanza, the client does query the DNS properly for the KDC master - it can be tracked in the DNS logs and I mean, even logically - with no [realms] stanza - there is no other place than DNS where it can find this information. So, the actual authentication of the principal works. It's the kadmin-part that exits with the error message above.

According to all manuals, books, guides I've read - this shouldn't be happening. The [libdefaults] with default_realm defined in krb5.conf in combination with proper DNS records, should be everything kerberos client needs. But apparently not.

I don't remember having any problems like this before. This is the first time in several months a freshly install a KDC. I believe Kerberos packages did get updated few times since then. Could this be a bug of some kind introduced in never version of libs? I have the latest packages on centos 5.3.

Thanks in advance.

MheAd 06-28-2010 07:23 AM
Heh. Now, after looking more closely the documentation @ MIT website, it actually appears that this is "normal" behaviour of the MIT Kerberos.

Quote:
_kerberos-adm._tcp
This should list port 749 on your master KDC. Support for it is not complete at this time, but it will eventually be used by the kadmin program and related utilities. For now, you will also need the admin_server entry in krb5.conf. (See krb5.conf.)
Bummer...
Perhaps I'll switch to Heimdall instead. I got confirmation of a friend of mine that this already is implemented in that distribution.

mhetreys 07-01-2015 04:57 AM
Kerberos (MIT) clients cannot find administrative server through DNS.
 
bash-4.1# kadmin -p root/admin
Authenticating as principal root/admin with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

here is krb5.conf file
bash-4.1# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TESTER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true

[realm]

TESTER.COM = {
kdc = yog.com:88
admin_server = yog.com:749
}

[domain_realm]
.in.com = TESTER.COM
in.com = TESTER.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb5_convert = false
}




i am getting error.please help


All times are GMT -5. The time now is 03:15 PM.