Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
A.2. Investigating kinit Authentication Failures
General Troubleshooting
- On the IdM client, display the debug messages from the
kinitprocess:$ KRB5_TRACE=/dev/stdout kinit admin - Verify that:
- The client forward record is correct both on the server and on the affected client:
# host client_fully_qualified_domain_name - The server forward record is correct both on the server and on the affected client:
# host server_fully_qualified_domain_name# host server_IP_addressThe host server_IP_address command must return a fully qualified host name with a trailing dot at the end, such as:server.example.com.
- Review the
/etc/hostsfile on the client, and make sure that:- All server entries in the file are correct
- In all server entries, the first name is a fully qualified domain name
See also the section called “The/etc/hostsFile”. - Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
- On the IdM server, make sure that the
krb5kdcanddirsrvservices are running:# systemctl status krb5kdc # systemctl status dirsrv.target
- Review the Kerberos key distribution center (KDC) log:
/var/log/krb5kdc.log. - If the KDCs are hard-coded in the
/etc/krb5.conffile (the file explicitly sets KDC directives and uses thedns_lookup_kdc = falsesetting), use the ipactl status command on each master server. Check the status of the IdM services on each server listed as KDC by the command:# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Troubleshooting Errors Cannot find KDC for realm
If
kinit authentication fails with an error that says Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials, it indicates that KDC is not running on the server or that the client has misconfigured DNS. In this situation, try these steps:
- If the DNS discovery is enabled in the
/etc/krb5.conffile (thedns_lookup_kdc = truesetting), use thedigutility to check whether the following records are resolvable:$ dig -t TXT _kerberos.ipa.example.com $ dig -t SRV _kerberos._udp.ipa.example.com $ dig -t SRV _kerberos._tcp.ipa.example.com
In the following example, one of thedigcommands above failed with this output:; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example ;; global options: +cmd ;; connection timed out; no servers could be reached
The output indicated that thenamedservice was not running on the master server. - If DNS lookup fails, continue with the steps in Section A.6, “Troubleshooting DNS”.
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.