This article is to describe the steps and data to collect when a join command fails or gets an error. Error: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm.
Cannot successfully join the domain in an environment with limited DNS, such as a DMZ or Perimeter network, due to firewalls, proxies, or other forms of network traffic/port filtering. As a result, vastool cannot perform a join as it is unable to locate the proper domain controllers.
1. Run the preflight command which checks to determine if the host is ready to run the QAS client:
The minimum QAS requires to perform a join is the allowance of connections to following TCP ports, on the Active Directory Server (these can be tunneled or port redirected, if need be):
88 - Kerberos
389 - LDAP
464 - Kerberos "kpasswd"
Error: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm.
From the client, test name resolution for a particular domain controller and port communication with the telnet command to the domain controllers.
QAS requires name resolution information to locate the domain controllers. Domain controllers can be manually added to the host by including an entry in the /etc/hosts file for each domain controller, similar to the following:
192.168.0.45 dc01.example.com dc01 example.com
Telnet dc01.example.com 88
Telnet dc02.example.com 88
Telnet dc01.example.com 389
Telnet dc02.example.com 389
2. Delete /tmp/krbcc_0 and then try to rejoin
3. To determine the problem turn on debugging with vastool, while attempting to join the domain, as follows:
/opt/quest/bin/vastool -d5 -u
Attach a copy the the /tmp/vastooljoin_debug to the Service Request for analysis.
4. Try specifying domain controllers (DCs) to talk to on the join line to see if it is an issue with one of the DCs.
Please read the preflight man page for additional commands that can be done: https://support.quest.com/Search/SolutionDetail.aspx?id=SOL87782
QAS uses DNS calls to first resolve a domain name to a list of servers, picks a server, and second uses the machine's resolver to turn the server name into a IP address. The first resolving is skipped if specific servers are specified during join time, which are stored as vas.conf entry
<method> = <DC FQDN>:<Port> [...]
QAS can also do the second resolving using /etc/hosts entries, if /etc/nsswitch.conf is set to do so, and the entries are in /etc/hosts.
QAS must be able to resolve both domain to server(s), and server FQDN to IP to be able to work.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité