Kerberos Login Failed: Cannot resolve network address for KDC in requested realm - Kerio and Open Directory

Question

I'm attempting to connect Kerio to an Open Directory instance. I'm using kinit to test the setup, and I get the following:

$ kinit -V -S host/server.domain.co.uk@server.domain.co.uk igor@server.domain.co.uk
Please enter the password for igor@server.domain.co.uk:
Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

This occurs, even though I am 100% sure that the password is correct. Either way, I am more concerned with regards to the part of the message that says

Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

From the server running OD, and a second in house server I get the same error message. I can dig and ping server.domain.co.uk correctly from both servers, so it boggles my mind what could be wrong.

I need this to be working before I can move forward and connect up the Kerio instance to my OD.

edu.mit.kerberos

[libdefaults]
    default_realm = SERVER.domain.CO.UK
[realms]
    SERVER.domain.CO.UK = {
        admin_server = server.domain.co.uk
        kdc = server.domain.co.uk
    }
[domain_realm]
    domain.co.uk = SERVER.domain.CO.UK
    .domain.co.uk = SERVER.domain.CO.UK
[logging]
    admin_server = FILE:/var/log/krb5kdc/kadmin.log
    kdc = FILE:/var/log/krb5kdc/kdc.log

SERVER is the real hostname for the machine in question, and domain.co.uk is my FQDN, or at least replacing my FQDN

Thanks for any assistance.

Answer 1

It looks like your REALM and KDC declarations might be a little off.

I could be wrong, but I'm thinking instead of

[libdefaults]

default_realm = SERVER.domain.CO.UK

[realms]

SERVER.domain.CO.UK = {

admin_server = server.domain.co.uk

kdc = server.domain.co.uk }

You'd want to put

[libdefaults]

default_realm = domain.CO.UK

[realms]

domain.CO.UK = {

admin_server = server.domain.co.uk

kdc = server.domain.co.uk }

Answer 2

The kerberos principal is username@realm, not username@domain, and the realm is case-sensitive, so please try your kinit for igor@SERVER.domain.CO.UK, capitalized exactly the way you have the realm capitalized in your conf.

The subtle distinction between server and realm is why your error is so hard to interpret - what it's trying to say is "I don't know what the server address would be for that REALM - I can't match that REALM to anything in the conf file."

Answer 3

[libdefaults]
default_realm = domain.CO.UK

[realms]
domain.CO.UK = {
  admin_server = server.domain.co.uk
  kdc = server.domain.co.uk
}

Answer 4

add this in krb5.ini :

dns_lookup_kdc = true

Answer 5

Answering old questions:

This issue IIRC turned out to be a combination of things

• DNS for the domain was broken
• The OSX Server was borked, updates where not getting through, and service configuration was mysteriously disappearing
• There where three clones of the same server instance running on the same wire but for three different companies all using the same domain names
• and the kicker "connected together via a communal wifi"

Once we found we we offered network management services to everyone sharing that space - and discovered that they shared a fibre connection - with all their routers patched to each other for 'failover' reasons.

This was the point that caused each company separate issues - until we rebuilt the lot :)

Answer 6

Just fell in same situation on Debian GNU/Linux jessie. Resolver inside kinit just did not work. strace shows kinit is asking Avahi-daemon via lib-mdns. I've removed avahi and kinit started working. The resume - either remove avahi-daemon or configure it properly.