Authentication Services "error = Cannot contact any KDC for requested realm" (4347579)

The example given is with the debug switch (-d5) enabled, which provides more detailed error information.   Lines beginning with a # is what you would see if you did not use debug.

/opt/vas/bin/vastool -d5 -u <adminuser> join example.com

libvascache_ipc_send_str_rply: ipc_connect failed, err = 2
#Configuring Kerberos Realm example.com ... OK
libvascache_ipc_send_str_rply: ipc_connect failed, err = 2
#Detecting Site Membership ... ERROR: Failed, no servers responded.

#Please ensure that LDAP UDP traffic over port 389
#is possible for Site detection to succeed.
#Also, ensure that your DNS configuration has been
#properly configured for use with Active Directory.

#You can manually configure the Site membership by using
#the -s option for vastool join to specify an Active
#Directory Site to use.

libvascache_ipc_send_str_rply: ipc_connect failed, err = 2
libvas_servers_load_cache: Could not lookup site info, err = 2
libvas_servers_load_cache: loading server lists from site and non-site servers
libvas_servers_load_cache: no servers in the cache
libvas_servers_init: loading VAS server lists from DNS for EXAMPLE.COM
internal_ticket_get: There's nothing to authenticate with
#Password for <adminuser>@example.com:
#Could not authenticate as <adminuser>@example.com, error = Cannot contact any KDC for requested realm.

Authentication Services relies on DNS (Domain Naming Srvice) to locate the Key Distributions Center (KDC) which in AD is a domain controller, so if your DNS is not properly configured for your domain it will fail.

To test name resolution for a particular domain controller, on the host, you can use the dig or nslookup commands, depending on what is installed.

dig dc01.example.com

or

nslookup dc01.example.com

The name resolution information VAS requires to locate the domain controllers can be manually added to the host by including an entry in the /etc/hosts file for each domain controller, similar to the following:

192.168.0.45 dc01.example.com dc01 example.com


Ideally you would want to correct the name resolution problem directly on the DNS server.

After you have corrected your DNS issues try the join once again.

/opt/vas/bin/vastool -u <adminuser> join example.com