hashicorp / terraform-provider-dns

Utility provider that supports DNS updates (RFC 2136) and can optionally be configured with secret key based transaction authentication (RFC 2845).
https://registry.terraform.io/providers/hashicorp/dns/latest
Mozilla Public License 2.0
112 stars 71 forks source link

AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC #134

Open harkeet opened 3 years ago

harkeet commented 3 years ago

Terraform Version

Terraform v0.14.9

Affected Resource(s)

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

provider "dns" {
  update {
    server = "dns_host1.example.com" # Using the hostname is important in order for an SPN to match
    gssapi {
      realm    = "example.com"
      username = "dns_user"
      keytab   = "/path/to/DNS.keytab"
    }
  }
}
resource "dns_ptr_record" "tf_ptr" {
  zone = "17.238.10.in-addr.arpa." 
  name = "27"
  ptr = "host.example.com."
}

Debug Output

dns_ptr_record.tf_ptr: Creating...

Error: Error updating DNS record: Error negotiating GSS context: [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with UDP (no KDCs defined in configuration for realm example.com) and then TCP (no KDCs defined in configuration for realm example.com)

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

PTR record created

Actual Behavior

What actually happened?

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

TF config is able to fetch the records via data sources such as A record and PTR record.

krb5.conf

[libdefaults]
default_realm = example.com
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = yes
proxiable = true
rdns = false
default_tkt_enctypes = rc4-hmac
default_tgt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
dns_lookup_kdc = false
dns_lookup_realm = false

[realms]
EXAMPLE.COM = {
    kdc = dns_host1.example.com
    kdc = dns_host2.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[login]
krb4_convert = true
krb4_get_tickets = false
bodgit commented 3 years ago

Your realm should probably be set to "EXAMPLE.COM" in the provider configuration rather than "example.com".