Kerberos kinit: Resource temporarily unavailable while getting initial credentials

11,849

Okay so it does work now. Things I did to fix it:

/etc/resolv.conf

     mycompany.com  127.0.0.1

/etc/hosts

     127.0.0.1       localhost.localdomain localhost
     192.168.96.140  sandbox.hortonworks.com sandbox ambari.hortonworks.com
     127.0.0.1     mycompany.com kerberos.mycompany.com

And, most embarrassing: I used kinit mycompany/admin for the principal user/[email protected] which is of course wrong.
The right call is of course kinit user/admin

Share:
11,849
Lincoln
Author by

Lincoln

Updated on June 27, 2022

Comments

  • Lincoln
    Lincoln almost 2 years

    I am in the process of setting up Kerberos on a CentOS7 (more specific: the Hortonworks HDP 2.3 sandbox) running in a VirtualBox VM. My problem is that kinit seems to be unable to reach my KDC, the answer is "Resource temporarily unavailable while getting inital credentials" if I add an address in my /etc/hosts file and if I leave that file as is I get the message "could not contact any host for realm mycompany while getting initial credentials".
    The KDC is running (can find it with ps plus the service starts with an "okay" message), same for kadmin.

    As a guide for setting up kerberos I followed these two guides:
    CentOS guide
    Guide 2

    My config files: krb5.conf

    [logging]
      default = FILE:/var/log/krb5libs.log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmin.log
    
    [libdefaults]
      default_realm = MYCOMPANY.COM
      dns_lookup_realm = true
      dns_lookup_kdc = true
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
    
    
    [realms]
      MYCOMPANY.COM = {
        kdc = kerberos.mycompany.com
        admin_server = kerberos.mycompany.com
      }
    
    [domain_realm]
      .mycompany.com = MYCOMPANY.COM
      mycompany.com = MYCOMPANY.COM
    

    kdc.conf

    [kdcdefaults]
      kdc_ports = 88
      kdc_tcp_ports = 88,750
    
    [realms]
      MYCOMPANY.COM = {
        #master_key_type = aes256-cts
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
      }
    

    kadm5.acl

    */[email protected] *
    

    /etc/hosts

    127.0.0.1       localhost.localdomain localhost
    192.168.96.140  sandbox.hortonworks.com sandbox ambari.hortonworks.com
    192.168.1.3     mycompany.com kerberos.mycompany.com
    

    I get the "Resource..." error if I have any address in the third line of the hosts file, if that line is missing I get the "could not contact..." error.

    I could trace the kinit command with something along the lines of krb5_trace or something (unfortunately I can't find the link I got it from any more nor remember the exact command) to the address specified in the host file so kinit seems to contact the fitting address, its just that the KDC does not listen there.
    Netstat shows that the KDC is listening on the ports specified in the kdc.conf

    Any help would be appreciated

  • Arjen P. De Vries
    Arjen P. De Vries over 6 years
    I think you should have used kinit user/[email protected], i.e., the realm is case sensitive.