Installing FreeIPA on CentOS 7 - "kinit: Cannot contact any KDC for realm" [closed]

asked 2015-03-13 14:17:46 -0500

chrischarles2002 gravatar image

I am trying to install a new stand alone instance of FreeIPA on CentOS 7.

I am doing this in an Amazon AWS EC2 environment.

The install completes flawlessly every time, however, when I attempt to run for the first time:

kinit admin

I always get back:

kinit: Cannot contact any KDC for realm 'DOMAIN.COM' while getting initial credentials

Googling, I found a way to trace this command:

KRB5_TRACE=/dev/stdout kinit admin

In which case I get the following output:

[root@ipa1 ~]# KRB5_TRACE=/dev/stdout kinit admin
[3320] 1426267179.15039: Getting initial credentials for admin@DOMAIN.COM
[3320] 1426267179.17085: Sending request (164 bytes) to DOMAIN.COM
[3320] 1426267179.17225: Resolving hostname
[3320] 1426267179.17715: Sending initial UDP request to dgram
[3320] 1426267179.17786: UDP error receiving from dgram 111/Connection refused
[3320] 1426267179.18382: Initiating TCP connection to stream
[3320] 1426267179.18431: Terminating TCP connection to stream
kinit: Cannot contact any KDC for realm 'DOMAIN.COM' while getting initial credentials

Continuing to Google for "UDP error receiving from dgram" & "Connection refused", I see that this is a common recent issue with the FreeIPA install, but have yet to find a posted solution.

Here are the packages that I have installed:

   [root@ipa1 ~]# rpm -qa  | grep ipa

Does anyone know how to get around this issue to complete the install on CentOS 7 in Amazon AWS EC2?

Thanks in advance.

edit retag flag offensive reopen merge delete

Closed for the following reason question is off-topic or not relevant by randomuser
close date 2015-03-14 00:55:49.666884


That command is attempting to communicate with a Key Distribution Center for the Kerberos realm "DOMAIN.COM." It appears the KDC is identified as and the DNS service for the system succeeds in resolving that domain name to It then attempts to establish UDP communications with the system, but fails. Is that what you expect to be happening when you run this command? If so, I guess you need to ensure the KDC service is up and running, ready for connections, and that the system targeted for installation can successfully communicate with ipa1.

bitwiseoperator gravatar imagebitwiseoperator ( 2015-03-13 23:41:41 -0500 )edit

On Fedora, you can use rolekit to deploy FreeIPA and it just works; it can be a complex stack to set up without that. On Centos, you should use the CentOS forum or mailing list. Centos and Fedora are different, and advice for often doesn't apply to the other, especially for something this complicated.

randomuser gravatar imagerandomuser ( 2015-03-14 00:55:36 -0500 )edit

This right here helped me more than most other things when I got to this point: KRB5_TRACE=/dev/stdout kinit admin Thanks for that!

harper519 gravatar imageharper519 ( 2015-09-13 15:02:39 -0500 )edit

This helped me a ton! Thanks!

Andrew Rothstein gravatar imageAndrew Rothstein ( 2016-09-05 22:02:48 -0500 )edit