My Oracle Support Banner

Okinit fails with "Cannot Contact Any Kdc For Requested Realm" When The Communication with the KDC Uses The TCP Protocol (Doc ID 1370005.1)

Last updated on JANUARY 05, 2020

Applies to:

Advanced Networking Option - Version 11.2.0.2 and later
Information in this document applies to any platform.

Symptoms

NOTE: In the images and/or the document content below, the user information and data used represents fictitious data from the Oracle sample schema(s) or Public Documentation delivered with an Oracle database product. Any similarity to actual persons, living or dead, is purely coincidental and not intended in any manner.

 

While running okinit on some platforms the following error might occur if the communication with the KDC uses the TCP protocol rather than UDP:


On HP-UX:


$ okinit -e 23 oracle

Kerberos Utilities for HP-UX: Version 11.2.0.2.0 - Production on
02-NOV-2011 09:31:34

Copyright (c) 1996, 2010 Oracle. All rights reserved.

Password for oracle@SECWIN.LOCAL:
okinit: Cannot contact any KDC for requested realm




On Solaris

$ okinit -e 23 oracle

Kerberos Utilities for Solaris: Version 11.2.0.2.0 - Production on
08-JUN-2011 07:35:59

Copyright (c) 1996, 2010 Oracle. All rights reserved.

Password for oracle@SECWIN.LOCAL:
okinit: Cannot contact any KDC for requested realm



On Linux:


$ okinit -e 23 oracle

Kerberos Utilities for Linux: Version 11.2.0.2.0 - Production on 08-JUN-2011
10:37:38

Copyright (c) 1996, 2010 Oracle. All rights reserved.

Password for oracle@SECWIN.LOCAL:
[oracle@seclin4 KERBEROS]$



The communication over TCP occurs naturally(without forcing it) when the size of the exchanged packets is large. The packets are getting larger when the principal is a member of many groups or has many attributes. This means that the problem might not be noticed in most of the cases.  There is a way to force the communication to use TCP right from the beginning by changing some registry settings on the Active Directory server(Reference Microsoft Knowledge Base) :



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Entry: MaxDatagramReplySize
Type: REG_DWORD
Default Value: 1465 (decimal, bytes)
CUSTOM VALUE:1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
Entry: MaxPacketSize
Type: REG_DWORD
Default Value: 1465 (decimal, bytes)
CUSTOM VALUE: 100



To confirm that the Oracle kerberos client is using TCP get a truss or tusc trace and examine the parameters of the connect and so_socket system calls:


...
kerberos_failed.truss:16269: connect(6, 0x10014CED0, 16, SOV_DEFAULT) = 0
kerberos_failed.truss:16269: so_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, "",
SOV_DEFAULT) = 6
kerberos_failed.truss:16269: connect(6, 0x10014D4C0, 16, SOV_DEFAULT) = 0
kerberos_failed.truss:16269: so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "",
SOV_DEFAULT) = 6
kerberos_failed.truss:16269: connect(6, 0x10014E6E0, 256, SOV_DEFAULT) Err#22
...


SOCK_STREAM type is TCP  while SOCK_DGRAM is UDP.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.