Home / server / Questions / 391044
Accepted
Mister IT Guru
Asked: 2012-05-22 05:45:02 +0800 CST

Kerberos Login Failed: Cannot resolve network address for KDC in requested realm - Kerio and Open Directory

  • 772

I'm attempting to connect Kerio to an Open Directory instance. I'm using kinit to test the setup, and I get the following:

$ kinit -V -S host/[email protected] [email protected]
Please enter the password for [email protected]:
Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

This occurs, even though I am 100% sure that the password is correct. Either way, I am more concerned with regards to the part of the message that says

Kerberos Login Failed: Cannot resolve network address for KDC in requested realm

From the server running OD, and a second in house server I get the same error message. I can dig and ping server.domain.co.uk correctly from both servers, so it boggles my mind what could be wrong.

I need this to be working before I can move forward and connect up the Kerio instance to my OD.

edu.mit.kerberos

[libdefaults]
    default_realm = SERVER.domain.CO.UK
[realms]
    SERVER.domain.CO.UK = {
        admin_server = server.domain.co.uk
        kdc = server.domain.co.uk
    }
[domain_realm]
    domain.co.uk = SERVER.domain.CO.UK
    .domain.co.uk = SERVER.domain.CO.UK
[logging]
    admin_server = FILE:/var/log/krb5kdc/kadmin.log
    kdc = FILE:/var/log/krb5kdc/kdc.log

SERVER is the real hostname for the machine in question, and domain.co.uk is my FQDN, or at least replacing my FQDN

Thanks for any assistance.

mac-osx-server openldap opendirectory kerio

6 Answers

  1. It looks like your REALM and KDC declarations might be a little off.

    I could be wrong, but I'm thinking instead of

    [libdefaults]

    default_realm = SERVER.domain.CO.UK

    [realms]

    SERVER.domain.CO.UK = {

    admin_server = server.domain.co.uk

    kdc = server.domain.co.uk }

    You'd want to put

    [libdefaults]

    default_realm = domain.CO.UK

    [realms]

    domain.CO.UK = {

    admin_server = server.domain.co.uk

    kdc = server.domain.co.uk }

    • 2

  2. The kerberos principal is username@realm, not username@domain, and the realm is case-sensitive, so please try your kinit for [email protected], capitalized exactly the way you have the realm capitalized in your conf.

    The subtle distinction between server and realm is why your error is so hard to interpret - what it's trying to say is "I don't know what the server address would be for that REALM - I can't match that REALM to anything in the conf file."

    • 2 
  3. [libdefaults]
default_realm = domain.CO.UK

[realms]
domain.CO.UK = {
  admin_server = server.domain.co.uk
  kdc = server.domain.co.uk
}
    • 0

  4. add this in krb5.ini :

    dns_lookup_kdc = true
    • 0
  5. Best Answer

    Answering old questions:

    This issue IIRC turned out to be a combination of things

    • DNS for the domain was broken
    • The OSX Server was borked, updates where not getting through, and service configuration was mysteriously disappearing
    • There where three clones of the same server instance running on the same wire but for three different companies all using the same domain names
    • and the kicker "connected together via a communal wifi"

    Once we found we we offered network management services to everyone sharing that space - and discovered that they shared a fibre connection - with all their routers patched to each other for 'failover' reasons.

    This was the point that caused each company separate issues - until we rebuilt the lot :)

    • 0

  6. Just fell in same situation on Debian GNU/Linux jessie. Resolver inside kinit just did not work. strace shows kinit is asking Avahi-daemon via lib-mdns. I've removed avahi and kinit started working. The resume - either remove avahi-daemon or configure it properly.

    • 0