[38177] in Kerberos
missing log while debugging kinit via kdcproxy
daemon@ATHENA.MIT.EDU (Jochen Hein)
Wed Jan 17 01:13:56 2018
From: Jochen Hein <jochen@jochen.org>
To: kerberos@mit.edu
Date: Wed, 17 Jan 2018 06:55:09 +0100
Message-ID: <831sip3u82.fsf@jochen.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm running a FreeIPA domain an started to authenticate my road warrior
laptop with kdcproy. I've changed krb5.conf:
,----
| dns_lookup_realm = true
| dns_lookup_kdc = false
| ...
| kdc = https://kdcproxy.example.org/KdcProxy
`----
When I run kinit on my Ubuntu 17.10 laptop I get:
# KRB5_TRACE=/dev/stderr kinit admin
[12904] 1516167827.841029: Getting initial credentials for admin@EXAMPLE.ORG
[12904] 1516167827.845059: Sending request (169 bytes) to EXAMPLE.ORG
[12904] 1516167827.845173: Resolving hostname kdcproxy.example.org
[12904] 1516167828.115087: Terminating TCP connection to https 89.0.xx.yy:443
[12904] 1516167828.551801: Terminating TCP connection to https 2a0a:a541:57ed:0:216:[redacted]:443
kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting initial credentials
No hint what the problem might be, KDC log is empty. What brought me on
the right track has been an strace and looking for missing files:
# strace -e stat kinit admin
stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=714, ...}) = 0
stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so", {st_mode=S_IFREG|0644, st_size=116344, ...}) = 0
stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so", {st_mode=S_IFREG|0644, st_size=14528, ...}) = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=322, ...}) = 0
stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/tls/k5tls.so", 0x7fff3df92080) = -1 ENOENT (No such file or directory)
kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting
initial credentials
After installing krb5-k5tls authentication was successful. I'd find it
helpful it kinit could give a hint that the shared library is
missing. Since not all users will need it, just adding a dependency to
krb5-user seems not appropriate.
Jochen
--
This space is intentionally left blank.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
