# Heimdal KDC Setup



## Longfellow (Apr 30, 2015)

Hi forum,

I am trying to do an exercise setting up Heimdal KDC in a FreeBSD jail.
I am following the guide at https://www.freebsd.org/doc/en/books/handbook/kerberos5.html
with minor changes (modern rc.conf names, principal names).

It fails when I do kinit:

```
kinit: krb5_get_init_creds: unable to reach any KDC in realm BOOGA.LOCAL
```

Any idea why it fails? I cannot figure it out.

Here is a transcript:


```
root@kdc1:/ # uname -a
FreeBSD kdc1.booga.local 10.1-RELEASE-p9 FreeBSD 10.1-RELEASE-p9 #0: Tue Apr  7 01:09:46 UTC 2015     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
root@kdc1:/ #
root@kdc1:/ # cat /etc/rc.conf
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
kdc_enable="YES"
kadmind_enable="YES"

root@kdc1:/ # cat /etc/krb5.conf
[libdefaults]
 default_realm = BOOGA.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 BOOGA.LOCAL = {
  kdc = kdc1.booga.local
  admin_server = kdc1.booga.local
 }

[domain_realm]
 .booga.local = BOOGA.LOCAL
 booga.local = BOOGA.LOCAL

root@kdc1:/ # kstash
Master key:
Verifying - Master key:
kstash: writing key to `/var/heimdal/m-key'
root@kdc1:/ # kadmin -l
kadmin> init BOOGA.LOCAL
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> add hoplite
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
hoplite@BOOGA.LOCAL's Password:
Verifying - hoplite@BOOGA.LOCAL's Password:
kadmin> ^Droot@kdc1:/ #
root@kdc1:/ #
root@kdc1:/ # service kdc start
Starting kdc.
root@kdc1:/ # service kadmind start
Starting kadmind.
root@kdc1:/ # kinit hoplite
hoplite@BOOGA.LOCAL's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm BOOGA.LOCAL
root@kdc1:/ #


root@kdc1:/ # ping kdc1.booga.local
PING kdc1.booga.local (10.0.0.5): 56 data bytes
64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=0.053 ms
64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=0.152 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=0.073 ms
^C
--- kdc1.booga.local ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.053/0.093/0.152/0.043 ms
root@kdc1:/ # ping booga.local
PING kdc1.booga.local (10.0.0.5): 56 data bytes
64 bytes from 10.0.0.5: icmp_seq=0 ttl=64 time=0.051 ms
^C
--- kdc1.booga.local ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.051/0.051/0.051/0.000 ms

root@kdc1:/ # getent hosts kdc1.booga.local
10.0.0.5    kdc1.booga.local  booga.local
root@kdc1:/ #
root@kdc1:/ # sockstat -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS       FOREIGN ADDRESS
root     kadmind    49499 4  tcp4   10.0.0.5:749        *:*
root     kdc        49492 3  udp4   10.0.0.5:88         *:*
root     kdc        49492 4  tcp4   10.0.0.5:88         *:*
root     sendmail   49406 3  tcp4   10.0.0.5:25         *:*
root     syslogd    49323 4  dgram  /var/run/log
root     syslogd    49323 5  dgram  /var/run/logpriv
root     syslogd    49323 6  udp4   10.0.0.5:514        *:*
root@kdc1:/ #
```


----------



## SirDice (Apr 30, 2015)

Make sure the hostname of the machine is fully qualified and in the booga.local domain. No experience with this specific KDC but I've been configuring a bunch of Linux machines to authenticate with AD. This uses Kerberos and the errors are similar. Ideally you shouldn't need the [realms] section, as long as you have the correct DNS entries it'll find the KDC automatically. But the biggest hurdle I came across was hostnames that weren't fully qualified. It seems kinit uses the full hostname to determine which entry from the [domain_realm] to use. If the host is in a different domain (or no domain at all) you get the error it cannot find the KDC.


----------



## Longfellow (May 2, 2015)

Well, I added a new jail to the experiment called "client" with SSH, PAM etc, set to allow users to log in using Kerberos. Configuring unbound to do DNS for BOOGA.LOCAL helped make the setup work. It seems /etc/hosts isn't enough. Strangely, kinit still doesn't work inside the KDC jail, while it does in the client jail. kinit waits a minute or so then times out. It's not really an issue I guess, since I wouldn't want people logging into the KDC anyway, but I am puzzled by the behavior.


----------

