[20165] in Kerberos_V5_Development
Intermittent DNS failures while sending TGS-REQ
daemon@ATHENA.MIT.EDU (Sri)
Fri Sep 11 09:28:34 2020
Date: Fri, 11 Sep 2020 13:25:42 +0000 (UTC)
From: Sri <bskmohan@yahoo.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Message-ID: <1527820904.970328.1599830742497@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
Am trying to get a service ticket for a host based service and validate that using a keytab. The issue is that this is working sometimes and some times am observing 'Cannot contact any realm 'test.domain.com' while executing krb5_get_credentials() method. This error is not observed while sending AS-REQ. From the packet traces, I could see that AS-REQ/AS-REP without fail and the user is getting authenticated. Can anyone please share some pointers to resolve the issue?
Here is the psuedo code am using:
krb5_context k5Context;
krbt5_init_context(&k5Context);
...
// get initial tkts (for AS-REQ/AS-REP)
krb5_get_init_creds_password(k5Context,...); <========== Always passes
...
// store the tkt in cache
krb5_cc_default()
krb5_cc_initialize()
krb5_cc_store_cred()
...
krb5_creds in_creds, out_creds;
memset(&in_creds, 0, sizeof(in_creds));
...
err = krb5_parse_name(k5Context, user, &user_princ); // user = userone@test.domain.com
err = krb5_parse_name(k5Context, spn, &server_princ); // spn = "HOST/test-host.test.domain.com@TEST.DOMAIN.COM
in_creds.client = user_princ;
in_creds.server = server_princ;
// start TGS exchange
err = krb5_get_credentials(k5Context, KRB5_GC_NO_STORE, k5Cache, &in_creds, &out_creds); <====== This is where I get 'Cannot contact any realm' error and fails out.
err = krb5_decode_ticket(&out_creds->ticket, &tkt);
err = krb5_kt_default(k5Context, &keytab);
err = krb5_kt_get_entry(k5Context, ..., ktkEntry);
err = krb5_decrypt_tkt_part(k5Context, &tktEntry.key, tkt);
My krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TEST.DOMAIN.COM = {
default_tkt_enctypes = arcfour-hmac des-cbc-md5
kdc = test.domain.com
admin_server = test.domain.com
}
[domain_realm]
test.domain.com = TEST.DOMAIN.COM
.test.domain.com = TEST.DOMAIN.COM
Thanks, eskay
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
