Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise

Advanced Search

Solved

banshidhar_saho

Contributor

Hi Team,

I want to setup kerberos client in my Mac Laptop having MacOS Monterey (version 12.6.5). I have put the krb5.conf file at below paths.
/etc/krb5.conf
/Library/Preferences/edu.mit.kerberos

But when I try to run kinit, i get gelow error.
--
kinit -kt /Users/banshidhar_sahoo/Desktop/POC_KEYTAB/test.headless.keytab test@EXAMPLE.COM
kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM, tried 0 KDCs
--

I have also set the ENV Variable as below:
KRB5_CONFIG=/etc/krb5.conf

But getting same error while doing kinit.

Can you please suggest how to point to krb5.conf so that it can reach out to the correct kdc server.

Regards,
Banshi.

7,555 Views

1 ACCEPTED SOLUTION

banshidhar_saho

Contributor

Hi @steven-matison

The issue got fixed after making below 2 changes in /etc/krb5.conf file

1. Issue was a include line in my /etc/krb5.conf file which was not valid.

Removed below from /etc/krb5.conf
"includedir /etc/krb5.conf.d/"

2. On macOS the default client does not fall back to TCP. In krb5.conf prefix kdc value with tcp/ to force the client to use TCP if your corporate network blocks UDP.
kdc = tcp/kdc.example.com:88

Regards,

Banshi.

View solution in original post

7,495 Views

3 REPLIES 3

Guru

@banshidhar_saho I am assuming you are not using @EXAMPLE.COM. Have you confirmed that your client (mac os) has network and dns connectivity with the KDC Host?

There's a few things you must do to configure it properly:

Ensure the Kerberos client libraries are installed on that host
Your on-prem krb5.conf file must be copied to the client host.
- The sections [realms] and [domain_realm] are especially important to solve your issue.
Ensure that the hostname of your KDC can be resolved from the client (you can test it with nslookup and/or ping). This must work correctly for Kerberos to work. If there's no integrated DNS you will have to add entries to your /etc/hosts file to ensure the resolution is correct.
Ensure that any firewalls are configured correctly to open ports between your application and your on-prem environment:
- Open all the ports required for the client to communicate with the KDC (typically, ports 88 UDP and 88 TCP)

7,538 Views

banshidhar_saho

Contributor

Hi @steven-matison You are right. I have replaced actual REALM with EXAMPLE.COM while posting.

I have checked connectivity using "nc -zv" and "ping" command. Connectivity is fine.

====

nc -zv <kdc_server_VIP> <KDC_Port>
Connection to xxxxxxxx port xxxxxx [tcp/sqlexec] succeeded!

====

--- <kdc_server_VIP> ping statistics ---
13 packets transmitted, 12 packets received, 7.7% packet loss

====

"kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM, tried 0 KDCs"

By seeing the above error, I feel it's not able to locate the krb5.conf file.

When we run kinit command, is it referring to /etc directory for krb5.conf file or some other location in Mac machine?

Regards,

Banshi.

7,523 Views

banshidhar_saho

Contributor

Hi @steven-matison

The issue got fixed after making below 2 changes in /etc/krb5.conf file

1. Issue was a include line in my /etc/krb5.conf file which was not valid.

Removed below from /etc/krb5.conf
"includedir /etc/krb5.conf.d/"

2. On macOS the default client does not fall back to TCP. In krb5.conf prefix kdc value with tcp/ to force the client to use TCP if your corporate network blocks UDP.
kdc = tcp/kdc.example.com:88

Regards,

Banshi.

7,496 Views

Announcements

What's New @ Cloudera

Cloudera Data Engineering 1.23: Access Spark from Your Favor...

What's New @ Cloudera

HBase REST server scaling support is Generally Available

What's New @ Cloudera

New CLI option in the update-database command

What's New @ Cloudera

New Action menu item in the Cloudera Operational Database UI

What's New @ Cloudera

Get the list of supported instance types in the Cloudera Ope...