-
Title
Authentication against service principal host/ failed (KDC Unreachable) -
Description
# /opt/quest/bin/vastool -u host/ auth -S host/
ERROR: Could not authenticate as host/.
VAS_ERR_KRB5: Failed to obtain credentials. Keytab: /etc/opt/quest/vas/host.keytab
Caused by:
KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm -
Cause
There are many possible causes: DNS, SRV records, Network, Routing, Firewalls, Incorrect names, etc.
Running the command with more debug ( -d5 ) is the first step to determining where its failing.
Configuration of iptables was the culprit in this specific case. -
Resolution
Flushed the iptables, which reopened port 88 for Kerberos transactions. vastool -u host/ auth -S host/ then worked fine.
-
Additional Information
Please peform DNS troubleshooting:
Did you create a SRV record for the Unix machine in your DNS?
Can you ping the unix client from DC?
Can you ping the DC from the Unix machine?
Can you ping the domain?
nslookup _ldap._tcp.<domain>
nslookup _ldap._tcp.dc._msdcs.<domain>
nslookup <DC FQDN>If you are still having problem, open up a case with Tech support and send the resultant data of the following commands done from the client:
1. /opt/quest/bin/preflight <your domain.com> 2>&1 | tee /tmp/preflight
2. /opt/quest/libexec/vas/scripts/vas_snapshot.sh
It will create vas_snapshot.(machine-name).tar.gz file in your /tmp directory. Please send me the vas_snapshot.(machine-name).tar.gz file.