virtualboxkerberoscentos7

Kerberos kinit: Resource temporarily unavailable while getting initial credentials


I am in the process of setting up Kerberos on a CentOS7 (more specific: the Hortonworks HDP 2.3 sandbox) running in a VirtualBox VM. My problem is that kinit seems to be unable to reach my KDC, the answer is "Resource temporarily unavailable while getting inital credentials" if I add an address in my /etc/hosts file and if I leave that file as is I get the message "could not contact any host for realm mycompany while getting initial credentials".
The KDC is running (can find it with ps plus the service starts with an "okay" message), same for kadmin.

As a guide for setting up kerberos I followed these two guides:
CentOS guide
Guide 2

My config files: krb5.conf

[logging]
  default = FILE:/var/log/krb5libs.log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log

[libdefaults]
  default_realm = MYCOMPANY.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true


[realms]
  MYCOMPANY.COM = {
    kdc = kerberos.mycompany.com
    admin_server = kerberos.mycompany.com
  }

[domain_realm]
  .mycompany.com = MYCOMPANY.COM
  mycompany.com = MYCOMPANY.COM

kdc.conf

[kdcdefaults]
  kdc_ports = 88
  kdc_tcp_ports = 88,750

[realms]
  MYCOMPANY.COM = {
    #master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  }

kadm5.acl

*/admin@MYCOMPANY.COM *

/etc/hosts

127.0.0.1       localhost.localdomain localhost
192.168.96.140  sandbox.hortonworks.com sandbox ambari.hortonworks.com
192.168.1.3     mycompany.com kerberos.mycompany.com

I get the "Resource..." error if I have any address in the third line of the hosts file, if that line is missing I get the "could not contact..." error.

I could trace the kinit command with something along the lines of krb5_trace or something (unfortunately I can't find the link I got it from any more nor remember the exact command) to the address specified in the host file so kinit seems to contact the fitting address, its just that the KDC does not listen there.
Netstat shows that the KDC is listening on the ports specified in the kdc.conf

Any help would be appreciated


Solution

  • Okay so it does work now. Things I did to fix it:

    /etc/resolv.conf

         mycompany.com  127.0.0.1
    

    /etc/hosts

         127.0.0.1       localhost.localdomain localhost
         192.168.96.140  sandbox.hortonworks.com sandbox ambari.hortonworks.com
         127.0.0.1     mycompany.com kerberos.mycompany.com
    

    And, most embarrassing: I used kinit mycompany/admin for the principal user/admin@mycompany.com which is of course wrong.
    The right call is of course kinit user/admin