Hi, I'm running a FreeIPA domain an started to authenticate my road warrior laptop with kdcproy. I've changed krb5.conf:
,---- | dns_lookup_realm = true | dns_lookup_kdc = false | ... | kdc = https://kdcproxy.example.org/KdcProxy `---- When I run kinit on my Ubuntu 17.10 laptop I get: # KRB5_TRACE=/dev/stderr kinit admin [12904] 1516167827.841029: Getting initial credentials for ad...@example.org [12904] 1516167827.845059: Sending request (169 bytes) to EXAMPLE.ORG [12904] 1516167827.845173: Resolving hostname kdcproxy.example.org [12904] 1516167828.115087: Terminating TCP connection to https 89.0.xx.yy:443 [12904] 1516167828.551801: Terminating TCP connection to https 2a0a:a541:57ed:0:216:[redacted]:443 kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting initial credentials No hint what the problem might be, KDC log is empty. What brought me on the right track has been an strace and looking for missing files: # strace -e stat kinit admin stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=714, ...}) = 0 stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so", {st_mode=S_IFREG|0644, st_size=116344, ...}) = 0 stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so", {st_mode=S_IFREG|0644, st_size=14528, ...}) = 0 stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=322, ...}) = 0 stat("/usr/lib/x86_64-linux-gnu/krb5/plugins/tls/k5tls.so", 0x7fff3df92080) = -1 ENOENT (No such file or directory) kinit: Cannot contact any KDC for realm EXAMPLE.ORG' while getting initial credentials After installing krb5-k5tls authentication was successful. I'd find it helpful it kinit could give a hint that the shared library is missing. Since not all users will need it, just adding a dependency to krb5-user seems not appropriate. Jochen -- This space is intentionally left blank. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
