AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requestedrealm while getting initial credentials - Kerberos

This is a discussion on AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requestedrealm while getting initial credentials - Kerberos ; Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requestedrealm while getting initial credentials

  1. AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requestedrealm while getting initial credentials

    Hi list,

    kinit (krb5 1.4.2) on an AIX 5.3 gives me
    # /usr/local/bin/kinit -k -t foobar.keytab
    foobar/foo.example.net@EXAMPLE.NET
    kinit(v5): Cannot resolve network address for KDC in requested realm
    while getting initial credentials

    From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
    and foobar.keytab to AIX 5.3. The following steps don't defer to the
    steps I did under Linux.

    # ./configure --without-krb4 --enable-shared
    # make && make install

    Using gcc 3.3.2.
    I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
    as I see it is fixed in 1.4.2.

    My krb5.conf looks like this:
    [libdefaults]
    default_realm = EXAMPLE.NET
    clockskew = 300

    [realms]
    EXAMPLE.NET = {
    kdc = foo.example.net:88
    admin_server = foo.example.net:749
    default_domain = example.net
    kpasswd_server = foo.example.net
    }

    [domain_realm]
    .example.net = EXAMPLE.NET
    example.net = EXAMPLE.NET

    [logging]
    default = SYSLOG:NOTICEAEMON
    kdc = FILE:/var/log/kdc.log
    kadmind = FILE:/var/log/kadmind.log

    [appdefaults]
    pam = {
    ticket_lifetime = 1d
    renew_lifetime = 1d
    forwardable = true
    proxiable = false
    retain_after_close = false
    minimum_uid = 0
    debug = false
    }

    Trying to analyze with tcpdump I see that DNS query A, AAAA, AAAA with
    double of my domainname - and then again from the beginning.
    A record is answered correctly, AAAA can't (no ipv6).

    13:00:09.595177 10.20.30.56.41629 > bar.example.net.domain: [udp sum ok]
    65423+ A? foo.example.net. (34) (ttl 30, id 30399, len 62)
    13:00:09.595729 bar.example.net.domain > 10.20.30.56.41629: [udp sum ok]
    65423* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net
    ns: example.net. NS bar.example.net., example.net. NS bar2.example.net.
    ar: bar.example.net. A bar.example.net, bar2.example.net. A
    bar2.example.net (128) (ttl 30, id 35101, len 156)
    13:00:09.597500 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]
    65424+ AAAA? foo.example.net. (34) (ttl 30, id 30400, len 62)
    13:00:09.597886 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]
    65424* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
    bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)
    (ttl 30, id 35102, len 115)
    13:00:09.597928 10.20.30.56.41630 > bar.example.net.domain: [udp sum ok]
    65425+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30401, len 70)
    13:00:09.598273 bar.example.net.domain > 10.20.30.56.41630: [udp sum ok]
    65425 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
    example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
    259200 86400 (95) (ttl 30, id 35103, len 123)
    13:00:09.600003 10.20.30.56.41631 > bar.example.net.domain: [udp sum ok]
    65426+ A? foo.example.net. (34) (ttl 30, id 30402, len 62)
    13:00:09.600473 bar.example.net.domain > 10.20.30.56.41631: [udp sum ok]
    65426* q: A? foo.example.net. 1/2/2 foo.example.net. A foo.example.net
    ns: example.net. NS bar2.example.net., example.net. NS bar.example.net.
    ar: bar.example.net. A bar.example.net, bar2.example.net. A
    bar2.example.net (128) (ttl 30, id 35104, len 156)
    13:00:09.602076 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]
    65427+ AAAA? foo.example.net. (34) (ttl 30, id 30403, len 62)
    13:00:09.602478 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]
    65427* q: AAAA? foo.example.net. 0/1/0 ns: example.net. SOA
    bar.example.net. tux.example.net. 2005110800 14400 600 259200 86400 (87)
    (ttl 30, id 35105, len 115)
    13:00:09.602520 10.20.30.56.41632 > bar.example.net.domain: [udp sum ok]
    65428+ AAAA? foo.example.net.example.net. (42) (ttl 30, id 30404, len 70)
    13:00:09.602894 bar.example.net.domain > 10.20.30.56.41632: [udp sum ok]
    65428 NXDomain* q: AAAA? foo.example.net.example.net. 0/1/0 ns:
    example.net. SOA bar.example.net. tux.example.net. 2005110800 14400 600
    259200 86400 (95) (ttl 30, id 35106, len 123)

    Upto here, Linux contacts my KDC, AIX 5.3 not. "Cannot resolve network
    address for KDC..."

    Did I miss something?

    cheers,
    Christoph

  2. Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

    In article ,
    Christoph Weizen wrote:

    > kinit (krb5 1.4.2) on an AIX 5.3 gives me
    > # /usr/local/bin/kinit -k -t foobar.keytab
    > foobar/foo.example.net@EXAMPLE.NET
    > kinit(v5): Cannot resolve network address for KDC in requested realm
    > while getting initial credentials
    >
    > From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf
    > and foobar.keytab to AIX 5.3. The following steps don't defer to the
    > steps I did under Linux.
    >
    > # ./configure --without-krb4 --enable-shared
    > # make && make install
    >
    > Using gcc 3.3.2.
    > I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far
    > as I see it is fixed in 1.4.2.


    I don't know what's in that patch. Does it look like you
    already have applied something like this?

    Donn Cave, donn@u.washington.edu
    -----------------------------------
    *** include/fake-addrinfo.h.dist Wed Jun 1 12:24:32 2005
    --- include/fake-addrinfo.h Fri Aug 12 09:10:48 2005
    ***************
    *** 1193,1199 ****
    a known service name for tcp or udp (as appropriate), an error
    code (for "host not found") is returned. If the port maps to a
    known service for both udp and tcp, all is well. */
    ! if (serv && serv[0] && isdigit(serv[0])) {
    unsigned long lport;
    char *end;
    lport = strtoul(serv, &end, 10);
    --- 1193,1208 ----
    a known service name for tcp or udp (as appropriate), an error
    code (for "host not found") is returned. If the port maps to a
    known service for both udp and tcp, all is well. */
    ! /*
    ! **
    ! ** However, where AI_NUNERICSERV is defined (AIX 5) and was
    specified,
    ! ** this is unneeded and and broken - "discard" is not numeric.
    ! */
    ! if (serv && serv[0]
    ! #ifdef AI_NUMERICSERV
    ! && !(hint->ai_flags & AI_NUMERICSERV)
    ! #endif
    ! && isdigit(serv[0])) {
    unsigned long lport;
    char *end;
    lport = strtoul(serv, &end, 10);

  3. Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC inrequested realm while getting initial credentials

    Donn Cave wrote:
    > I don't know what's in that patch. Does it look like you
    > already have applied something like this?


    No, I haven't already applied something like this.
    But now, I did - and it works (great). - Thanks a lot!

    Maybe it should be implemented in further versions? I can't see similar
    code in 1.4.3beta2.

    cheers,
    Christoph

+ Reply to Thread