Okinit fails with "Cannot Contact Any Kdc For Requested Realm" When The Communication with the KDC Uses The TCP Protocol (Doc ID 1370005.1)

Last updated on NOVEMBER 04, 2015

Applies to:

Advanced Networking Option - Version: 11.2.0.2 and later   [Release: 11.2 and later ]
Information in this document applies to any platform.

Symptoms

While running okinit on some platforms the following error might occur if the communication with the KDC uses the TCP protocol rather than UDP:


On HP-UX:


[celchp9]/grdbms/home> okinit -e 23 oracle

Kerberos Utilities for HP-UX: Version 11.2.0.2.0 - Production on
02-NOV-2011 09:31:34

Copyright (c) 1996, 2010 Oracle. All rights reserved.

Password for oracle@SECWIN.LOCAL:
okinit: Cannot contact any KDC for requested realm



On Solaris

[rmtdcsol1]/grdbms/home> okinit -e 23 oracle

Kerberos Utilities for Solaris: Version 11.2.0.2.0 - Production on
08-JUN-2011 07:35:59

Copyright (c) 1996, 2010 Oracle. All rights reserved.

Password for oracle@SECWIN.LOCAL:
okinit: Cannot contact any KDC for requested realm



On Linux:


[oracle@seclin4 KERBEROS]$ okinit -e 23 oracle

Kerberos Utilities for Linux: Version 11.2.0.2.0 - Production on 08-JUN-2011
10:37:38

Copyright (c) 1996, 2010 Oracle. All rights reserved.

Password for oracle@SECWIN.LOCAL:
[oracle@seclin4 KERBEROS]$


The communication over TCP occurs naturally(without forcing it) when the size of the exchanged packets is large. The packets are getting larger when the principal is a member of many groups or has many attributes. This means that the problem might not be noticed in most of the cases.  There is a way to force the communication to use TCP right from the beginning by changing some registry settings on the Active Directory server(Reference Microsoft Knowledge Base) :



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Entry: MaxDatagramReplySize
Type: REG_DWORD
Default Value: 1465 (decimal, bytes)
CUSTOM VALUE:1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
Entry: MaxPacketSize
Type: REG_DWORD
Default Value: 1465 (decimal, bytes)
CUSTOM VALUE: 100


To confirm that the Oracle kerberos client is using TCP get a truss or tusc trace and examine the parameters of the connect and so_socket system calls:


...
kerberos_failed.truss:16269: connect(6, 0x10014CED0, 16, SOV_DEFAULT) = 0
kerberos_failed.truss:16269: so_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, "",
SOV_DEFAULT) = 6
kerberos_failed.truss:16269: connect(6, 0x10014D4C0, 16, SOV_DEFAULT) = 0
kerberos_failed.truss:16269: so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "",
SOV_DEFAULT) = 6
kerberos_failed.truss:16269: connect(6, 0x10014E6E0, 256, SOV_DEFAULT) Err#22
...

SOCK_STREAM type is TCP  while SOCK_DGRAM is UDP.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms