Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

A.2. Investigating kinit Authentication Failures

General Troubleshooting

  1. On the IdM client, display the debug messages from the kinit process:
    $ KRB5_TRACE=/dev/stdout kinit admin
  2. Verify that:
    • The client forward record is correct both on the server and on the affected client:
      # host client_fully_qualified_domain_name
    • The server forward record is correct both on the server and on the affected client:
      # host server_fully_qualified_domain_name
      # host server_IP_address
      The host server_IP_address command must return a fully qualified host name with a trailing dot at the end, such as:
      server.example.com.
  3. Review the /etc/hosts file on the client, and make sure that:
    • All server entries in the file are correct
    • In all server entries, the first name is a fully qualified domain name
  4. Make sure you meet the other conditions in Section 2.1.3, “Host Name and DNS Configuration”.
  5. On the IdM server, make sure that the krb5kdc and dirsrv services are running:
    # systemctl status krb5kdc
    # systemctl status dirsrv.target
  6. Review the Kerberos key distribution center (KDC) log: /var/log/krb5kdc.log.
  7. If the KDCs are hard-coded in the /etc/krb5.conf file (the file explicitly sets KDC directives and uses the dns_lookup_kdc = false setting), use the ipactl status command on each master server. Check the status of the IdM services on each server listed as KDC by the command:
    # ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    named Service: RUNNING
    httpd Service: RUNNING
    ipa-custodia Service: RUNNING
    ntpd Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa-dnskeysyncd Service: RUNNING
    ipa: INFO: The ipactl command was successful

Troubleshooting Errors Cannot find KDC for realm

If kinit authentication fails with an error that says Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials, it indicates that KDC is not running on the server or that the client has misconfigured DNS. In this situation, try these steps:
  1. If the DNS discovery is enabled in the /etc/krb5.conf file (the dns_lookup_kdc = true setting), use the dig utility to check whether the following records are resolvable:
    $ dig -t TXT _kerberos.ipa.example.com
    $ dig -t SRV _kerberos._udp.ipa.example.com
    $ dig -t SRV _kerberos._tcp.ipa.example.com
    In the following example, one of the dig commands above failed with this output:
    ; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    The output indicated that the named service was not running on the master server.
  2. If DNS lookup fails, continue with the steps in Section A.6, “Troubleshooting DNS”.

Related Information