Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 06-27-2010, 05:20 PM   #1
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Rep: Reputation: 36
Kerberos (MIT) clients cannot find administrative server through DNS.

Hi guys,
This problem has taken me the whole Sunday and the only thing I've got left before start kicking my computer equipment is to ask you guys for help.

I have a problem on my client side of Kerberos. Basically, none of my clients is able to make a connection to kadmin using DNS SRV-records. Only if I use the relevant directives in the krb5.conf files - it works.

The Kerberos-related part of my DNS zone looks like this:

Please note, the $ORIGIN is my-domain.xx

_kerberos._udp.MY-DOMAIN.XX.                 IN SRV 1 0 88   server
_kerberos._tcp.MY-DOMAIN.XX.                 IN SRV 1 0 88   server
_kerberos-adm_tcp.MY-DOMAIN.XX.              IN SRV 1 0 749  server
_kpasswd._udp.MY-DOMAIN.XX.                  IN SRV 1 0 464  server

_kerberos                      IN TXT "MY-DOMAIN.XX"
As far as I can see there is no misconfiguration and the Bind doesn't complain either.

If I configure the basic krb5.conf file on one of my clients, containing only:
default_realm = MY-DOMAIN.XX
I was hoping that the client would look for KDC via DNS. And initally, when I try to login as a user principal, it appears to be working.
When writing the command:

kinit mhead/admin

It finds the KDC server. After typing in the password, after the successful authentication, I write:


and get the following error:
Authenticating as principal mhead/admin@MY-DOMAIN.XX with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
What parameters? [libdefaults] is the only required parameter by Kerberos for a minimal configuration, and the Kerberos libraries would automatically use the DNS for lookup of the KDC / adm server etc.

If I add the [realm] stanza in the krb5.conf file containing
kdc =
admin_server =
default_domain = my-domain.xx
Then everything is works, I'm able to access administration server with no problems whatsoever.

The same problem happens on both virtual machines that I'm using as clients - a Debian and a CentOS, so it's not 'one-machine-problem-only'.

Something is weird regarding the adm server. I mean, without [realms] stanza, the client does query the DNS properly for the KDC master - it can be tracked in the DNS logs and I mean, even logically - with no [realms] stanza - there is no other place than DNS where it can find this information. So, the actual authentication of the principal works. It's the kadmin-part that exits with the error message above.

According to all manuals, books, guides I've read - this shouldn't be happening. The [libdefaults] with default_realm defined in krb5.conf in combination with proper DNS records, should be everything kerberos client needs. But apparently not.

I don't remember having any problems like this before. This is the first time in several months a freshly install a KDC. I believe Kerberos packages did get updated few times since then. Could this be a bug of some kind introduced in never version of libs? I have the latest packages on centos 5.3.

Thanks in advance.

Last edited by MheAd; 06-27-2010 at 05:31 PM.
Old 06-28-2010, 07:23 AM   #2
Registered: Jun 2007
Distribution: Ubuntu 14.04
Posts: 186

Original Poster
Rep: Reputation: 36
Heh. Now, after looking more closely the documentation @ MIT website, it actually appears that this is "normal" behaviour of the MIT Kerberos.

This should list port 749 on your master KDC. Support for it is not complete at this time, but it will eventually be used by the kadmin program and related utilities. For now, you will also need the admin_server entry in krb5.conf. (See krb5.conf.)
Perhaps I'll switch to Heimdall instead. I got confirmation of a friend of mine that this already is implemented in that distribution.

Last edited by MheAd; 06-28-2010 at 07:25 AM.
1 members found this post helpful.
Old 07-01-2015, 04:57 AM   #3
LQ Newbie
Registered: Jun 2015
Posts: 4

Rep: Reputation: Disabled
Kerberos (MIT) clients cannot find administrative server through DNS.

bash-4.1# kadmin -p root/admin
Authenticating as principal root/admin with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

here is krb5.conf file
bash-4.1# cat /etc/krb5.conf
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = TESTER.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true


kdc =
admin_server =

[domain_realm] = TESTER.COM = TESTER.COM

profile = /var/kerberos/krb5kdc/kdc.conf


pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb5_convert = false

i am getting error.please help


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos (MIT) ACL correct? MheAd Linux - Security 0 06-26-2010 06:41 PM
passwordless OpenSSH with MIT-Kerberos and PAM dbalsige Linux - Software 1 11-12-2009 12:12 PM
nfsv4 not working with mit kerberos v5 linux 2 coglioni Linux - Newbie 7 06-22-2009 12:06 AM
LXer: Multiple holes in MIT Kerberos LXer Syndicated Linux News 0 04-08-2009 08:50 PM
LXer: MIT fixes critical Kerberos 5 flaws LXer Syndicated Linux News 0 04-05-2007 12:17 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:31 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration