Configuration Management Tool

Cannot find KDC for realm while getting initial credentials and kinit configuration file does not specify default realm

Christianby
4 Comments on Cannot find KDC for realm while getting initial credentials and kinit configuration file does not specify default realm

Here are some errors i ran into while trying to setup Ansible for the second time in my test laboratory

Solution: These two errors here are based on a lot of factors

- My domain setup was not resolving correctly, when this is done,
- Ensure to include the realm with the principal you are logging in as
And remember to set the default realm also in the krb5.config file.

Concept: Authentication Services relies on DNS (Domain Naming Service) to locate the Key Distributions Center (KDC) which in AD is a domain controller, so if your DNS is not properly configured for your domain it will fail. To test the name resolution for your domain controller, simply use nslookup commands, see https://techdirectarchive.com/2020/03/21/cant-find-domain-non-existent-domain/

– Ensure the Ansible server is pointing to the DNS server Address or else this will not work correctly

Create an A record to ensure the domain name is resolvable via DNS.

nslookup techdirectarchive.local

Note: Alternatively, the name resolution requires the Ansible server to locate the domain controllers and can be manually added to the host file by including an entry in the /etc/hosts file for each domain controller, e.g

192.168.xxx.45 techdirectarchive.local

Next, After the krb5 configuration file has been updated correctly, you should be able to successfully authenticate and get a valid token. The following steps show how to authenticate and get a token:
– You may get the error “kinit: configuration file does not specify default realm” if you try to use the “kinit” command only, use the command below

kinit username@TECHDIRECT.LOCAL

As you can see above, the kinit command did not work correctly initially.

default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.

Other Possible tips to note.
– Ensure that the “krb5.conf” is correctly configured.
– The kinit command is fail for user authentication because kerberos is case sensitive.Here is the right syntax “kinit username@TECHDIRECT.LOCAL“. Ensure the domain name is in all CAPS, or else you will get an error.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

4 Comments
Inline Feedbacks
View all comments
Jasim
Jasim
2 years ago

Hi Christian,

Trying to setup Kerberos authentication from ansible(linux) version 2.9 to windows 2k12/16 getting error like server not found in the database

Have verified the krb file, try kinit connections all look fine but throwing this kind of error message.
Pls share your thought if your overcome this kind of issues

Note: Using NTLM protocol connection establishing only issue with Kerberos

0
Reply
Christian
Christian
2 years ago
Reply to  Jasim

NTLM protocol is not too secure, please read the article below
https://techdirectarchive.com/2020/04/01/how-to-prevent-ntlm-credentials-from-being-sent-to-remote-servers/

0
Reply
Jasim
Jasim
2 years ago

Error message from ansible

kerberos: authGSSClientStep() failed: ((‘Unspecified GSS failure. Minor code may provide more information’, 851968), (‘Server not found in Kerberos database’, -1765328377))”,

0
Reply
Christian
Christian
2 years ago
Reply to  Jasim

I am sure this exception is from the client! Ensure the Windows Server is resolvable correctly and if this does not work, please provide me with more information.
– Note: Incorrect DNS entries will not let this work correctly as it is very crucial for Kerberos authentication.
– FQDN of the server is required by Kerberos! Check this too.

0
Reply
4
0
Would love your thoughts, please comment.x
()
x