KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm (4266702)

The following error is reported when Safeguard Authentication Services (SAS) is attempting contact a domain controller.

+++++++++++++

KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm

Reason: unable to reach any KDC in realm COMPANY.COM

+++++++++++++

This error occurs when SAS is unable to communicate with a domain controller or if there is a problem with the User Principal Name suffix.

Domain Controller:

Run the vastool info servers command and try to ping the domain controllers listed to ensure that the network is properly configured and that SAS can find a domain controller to use for communication with Active Directory.

# /opt/quest/bin/vastool info servers

# ping

If you are able to ping the servers and are still unable to join then run the following command and see if there are any fails reported.

# /opt/quest/bin/preflight -u -d -- verbose

(Note: there should be two ‘-‘ signs before verbose)

Any fails reported here must be resolved before attempting to join to the domain.

User Principal Name (UPN) suffix:

This occurs when the suffix of the UPN name in your join command does not match the name of the Kerberos realm for your Active Directory domain. In other words, your Active Directory domain could be COMPANY.COM, but the user principal being used is USER@ADROOT.COMPANY.COM.

This means that an alternative user principal name suffix is being used

Solution:

Configure vas.conf to use user principal name as the logon attribute by running the following command: # /opt/quest/bin/vastool configure vas vasd username-attr-name userPrincipalName

Followed by

# /opt/quest/bin/vastool flush

To undo this command run

# /opt/quest/bin/vastool configure vas vasd username-attr-name

Followed by

# /opt/quest/bin/vastool flush