hadoopkerberos

Cannot find KDC for realm while initializing kadmin interface

Given the following krb5.config (where FOOBAR.COM is a made-up string)

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = FOOBAR.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[domain_realm]
#Been messing around with this part
FOOBAR.COM = FOOBAR.COM
.FOOBAR.COM = FOOBAR.COM


[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  FOOBAR.COM = {
    admin_server = my_admin_server_hostname
    kdc = my_kdc_hostname
  }

Calling kadmin with my realm name and other parameters doesn't work. It cannot find the kdc.

[kdc machine] kadmin -s localhost -p admin/admin@foobar.com -r FOOBAR.COM -q "get_principal admin/admin@foobar.com"
    Authenticating as principal admin/admin@foobar.com with password.
    kadmin: Cannot find KDC for realm "foobar.com" while initializing kadmin interface

However accessing kadmin first works (maybe because it accesses kadmin.local?)

[kdc machine]# kadmin
Authenticating as principal admin/admin@FOOBAR.COM with password.
Password for admin/admin@FOOBAR.COM:
kadmin:  get_principal admin/admin@foobar.com
get_principal: Principal does not exist while retrieving "admin/admin@foobar.com".

And strangely, leaving out the principal flag works OK too

[kdc machine]# kadmin -s localhost -r FOOBAR.COM -q "get_principal admin/admin@foobar.com"
Authenticating as principal admin/admin@FOOBAR.COM with password.
Password for admin/admin@FOOBAR.COM:
get_principal: Principal does not exist while retrieving "admin/admin@foobar.com".

I'm assuming this is because of some DNS problem, since my realm string FOOBAR.COM is a fictional address. I've been editting my krb5.conf and hosts file trying to resolve this, but without much success. Using an actual FQDN instead of a random string as realm name is not an option. I don't get why leaving out -p would lead to a different result though...

Does anyone have ideas on how to still make the first query work?

Solution

  • Alright so it seems the problem was with specifying the principal -p

    This fails: -p admin/admin@holograph.tor.indexww.com

    This succeeds: -p admin/admin

    Kadmin apparently automatically adds the realm name after the principal and was failing on that, nothing to do with 'not finding the KDC server' at all.