A.2. Investigating kinit Authentication Failures
General Troubleshooting
- On the IdM client, display the debug messages from the
kinit
process:$ KRB5_TRACE=/dev/stdout kinit admin
- Verify that:
- The client forward record is correct both on the server and on the affected client:
# host client_fully_qualified_domain_name
- The server forward record is correct both on the server and on the affected client:
# host server_fully_qualified_domain_name
# host server_IP_address
The host server_IP_address command must return a fully qualified host name with a trailing dot at the end, such as:server.example.com.
- Review the
/etc/hosts
file on the client, and make sure that:- All server entries in the file are correct
- In all server entries, the first name is a fully qualified domain name
See also the section called “The/etc/hosts
File”. - Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
- On the IdM server, make sure that the
krb5kdc
anddirsrv
services are running:# systemctl status krb5kdc # systemctl status dirsrv.target
- Review the Kerberos key distribution center (KDC) log:
/var/log/krb5kdc.log
. - If the KDCs are hard-coded in the
/etc/krb5.conf
file (the file explicitly sets KDC directives and uses thedns_lookup_kdc = false
setting), use the ipactl status command on each master server. Check the status of the IdM services on each server listed as KDC by the command:# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Troubleshooting Errors Cannot find KDC for realm
If
kinit
authentication fails with an error that says Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials
, it indicates that KDC is not running on the server or that the client has misconfigured DNS. In this situation, try these steps:
- If the DNS discovery is enabled in the
/etc/krb5.conf
file (thedns_lookup_kdc = true
setting), use thedig
utility to check whether the following records are resolvable:$ dig -t TXT _kerberos.ipa.example.com $ dig -t SRV _kerberos._udp.ipa.example.com $ dig -t SRV _kerberos._tcp.ipa.example.com
In the following example, one of thedig
commands above failed with this output:; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example ;; global options: +cmd ;; connection timed out; no servers could be reached
The output indicated that thenamed
service was not running on the master server. - If DNS lookup fails, continue with the steps in Section A.6, “Troubleshooting DNS”.
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.