Show Table of Contents
Troubleshooting Errors
A.2. Investigating kinit Authentication Failures
General Troubleshooting
- On the IdM client, display the debug messages from the
kinitprocess:$ KRB5_TRACE=/dev/stdout kinit admin - Verify that:
- The client forward record is correct both on the server and on the affected client:
# host client_fully_qualified_domain_name - The server forward record is correct both on the server and on the affected client:
# host server_fully_qualified_domain_name# host server_IP_addressThehost server_IP_addresscommand must return a fully qualified host name with a trailing dot at the end, such as:server.example.com.
- Review the
/etc/hostsfile on the client, and make sure that:- All server entries in the file are correct
- In all server entries, the first name is a fully qualified domain name
See also the section called “The/etc/hostsFile”. - Make sure you meet the other conditions in Section 2.1.3, “Host Name and DNS Configuration”.
- On the IdM server, make sure that the
krb5kdcanddirsrvservices are running:# systemctl status krb5kdc# systemctl status dirsrv.target - Review the Kerberos key distribution center (KDC) log:
/var/log/krb5kdc.log. - If the KDCs are hard-coded in the
/etc/krb5.conffile (the file explicitly sets KDC directives and uses thedns_lookup_kdc = falsesetting), use theipactl statuscommand on each master server. Check the status of the IdM services on each server listed as KDC by the command:# ipactl statusDirectory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Troubleshooting Errors Cannot find KDC for realm
If
kinit authentication fails with an error that says Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials, it indicates that KDC is not running on the server or that the client has misconfigured DNS. In this situation, try these steps:
- If the DNS discovery is enabled in the
/etc/krb5.conffile (thedns_lookup_kdc = truesetting), use thedigutility to check whether the following records are resolvable:$ dig -t TXT _kerberos.ipa.example.com$ dig -t SRV _kerberos._udp.ipa.example.com$ dig -t SRV _kerberos._tcp.ipa.example.comIn the following example, one of thedigcommands above failed with this output:; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example ;; global options: +cmd ;; connection timed out; no servers could be reached
The output indicated that thenamedservice was not running on the master server. - If DNS lookup fails, continue with the steps in Section A.6, “Troubleshooting DNS”.
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.