Kerberos Authentication errors: Cannot find KDC for realm while getting initial credentials | kinit: configuration file does not specify default realm

Here are some errors i ran into while trying to setup Ansible for the second time in my test laboratory

Solution: These two errors here are based on a lot of factors

- My domain setup was not resolving correctly, when this is done,
- Ensure to include the realm with the principal you are logging in as
And remember to set the default realm also in the krb5.config file.

Concept: Authentication Services relies on DNS (Domain Naming Service) to locate the Key Distributions Center (KDC) which in AD is a domain controller, so if your DNS is not properly configured for your domain it will fail. To test the name resolution for your domain controller, simply use nslookup commands, see https://techdirectarchive.com/2020/03/21/cant-find-domain-non-existent-domain/

– Ensure the Ansible server is pointing to the DNS server Address or else this will not work correctly

Create an A record to ensure the domain name is resolvable via DNS.

nslookup techdirectarchive.local

Note: Alternatively, the name resolution requires the Ansible server to locate the domain controllers and can be manually added to the host file by including an entry in the /etc/hosts file for each domain controller, e.g

192.168.xxx.45 techdirectarchive.local

Next, After the krb5 configuration file has been updated correctly, you should be able to successfully authenticate and get a valid token. The following steps show how to authenticate and get a token:
– You may get the error “kinit: configuration file does not specify default realm” if you try to use the “kinit” command only, use the command below

kinit username@TECHDIRECT.LOCAL

As you can see above, the kinit command did not work correctly initially.

default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.

Other Possible tips to note.
– Ensure that the “krb5.conf” is correctly configured.
– The kinit command is fail for user authentication because kerberos is case sensitive.Here is the right syntax “kinit username@TECHDIRECT.LOCAL“. Ensure the domain name is in all CAPS, or else you will get an error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s