Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
A.2. Investigating kinit Authentication Failures
General Troubleshooting
- On the IdM client, display the debug messages from the
kinitprocess:Copy to Clipboard Copied! Toggle word wrap Toggle overflow KRB5_TRACE=/dev/stdout kinit admin
$ KRB5_TRACE=/dev/stdout kinit admin - Verify that:
- The client forward record is correct both on the server and on the affected client:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow host client_fully_qualified_domain_name
# host client_fully_qualified_domain_name - The server forward record is correct both on the server and on the affected client:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow host server_fully_qualified_domain_name
# host server_fully_qualified_domain_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow host server_IP_address
# host server_IP_addressThe host server_IP_address command must return a fully qualified host name with a trailing dot at the end, such as:Copy to Clipboard Copied! Toggle word wrap Toggle overflow server.example.com.
server.example.com.
- Review the
/etc/hostsfile on the client, and make sure that:- All server entries in the file are correct
- In all server entries, the first name is a fully qualified domain name
See also the section called “The/etc/hostsFile”. - Make sure you meet the other conditions in Section 2.1.5, “Host Name and DNS Configuration”.
- On the IdM server, make sure that the
krb5kdcanddirsrvservices are running:Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl status krb5kdc systemctl status dirsrv.target
# systemctl status krb5kdc # systemctl status dirsrv.target - Review the Kerberos key distribution center (KDC) log:
/var/log/krb5kdc.log. - If the KDCs are hard-coded in the
/etc/krb5.conffile (the file explicitly sets KDC directives and uses thedns_lookup_kdc = falsesetting), use the ipactl status command on each master server. Check the status of the IdM services on each server listed as KDC by the command:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipactl status
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
Troubleshooting Errors Cannot find KDC for realm
If
kinit authentication fails with an error that says Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials, it indicates that KDC is not running on the server or that the client has misconfigured DNS. In this situation, try these steps:
- If the DNS discovery is enabled in the
/etc/krb5.conffile (thedns_lookup_kdc = truesetting), use thedigutility to check whether the following records are resolvable:Copy to Clipboard Copied! Toggle word wrap Toggle overflow dig -t TXT _kerberos.ipa.example.com dig -t SRV _kerberos._udp.ipa.example.com dig -t SRV _kerberos._tcp.ipa.example.com
$ dig -t TXT _kerberos.ipa.example.com $ dig -t SRV _kerberos._udp.ipa.example.com $ dig -t SRV _kerberos._tcp.ipa.example.comIn the following example, one of thedigcommands above failed with this output:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example ;; global options: +cmd ;; connection timed out; no servers could be reached
; <<>> DiG 9.11.0-P2-RedHat-9.11.0-6.P2.fc25 <<>> -t SRV _kerberos._tcp.ipa.server.example ;; global options: +cmd ;; connection timed out; no servers could be reachedThe output indicated that thenamedservice was not running on the master server. - If DNS lookup fails, continue with the steps in Section A.6, “Troubleshooting DNS”.
Related Information
- See Section C.2, “Identity Management Log Files and Directories” for descriptions of various Identity Management log files.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}