RE: Server not found in Kerberos database error on ldapsearch #3
Ok, I got it now! I set up the AD server to run as ad.example.com and replaced the ip's in my krb5.conf with dns names and now it works! Thank you very much for your help. Still, if you have any howto on this topic (AD and UNIX), I would apreciate if you could send me a link to it. Evgeniy Zhaovsky (aka Jeck) ----------------- Evgeniy Zharovsky Ludwig-Maximilians-Universitaet Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste) Martiusstr. 4 / 207 80539 Muenchen email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de ...

AD Server returning server not found kerberos database
Hi all, I am using MIT Kerberos to mutually authenticate with other user (Kerberos Server: AD Server), It is working fine with my newly installed active directory .But when I try to work with my Company AD Server to get service ticket for particular user I am getting "Server not found in Kerberos Database", But that user is there in AD . any option can change to get it work . I want to to know which option in ad makes mutual authentication between user and user makes fail. Do I need to use setspn to add service principle?? Please help me Regards, Eswar S **************************************************************************** *********** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ...

Client not found in Kerberos database #3
Hi, I have an Intel xseve 10.4.9 server bound to AD and also have OD configured on the same server for Mac management. Other services running are AFP and WINDOWS. I will also be using the same server as a file server for both Mac and Windows. Below are my issues. When the WINDOWS service starts on our Intel Xserve with 10.4.9 installed I receive the below error message. I have tested single sign on "SSO" from Mac and Windows systems and everything seems to work, but am concerned that this error may cause an issue at a later date. I also have an issue with windows users suddenly not being able to connect to a share on the Intel Xserve via SMB which is strange as the same user on a Mac could still connect via AFP or SMB a restart of the WINDOWS service seems to clear this problem, not sure if this is related to the below error but it's a real issue and seems to be very random. When this happen I seem to receive "broken pipe" errors in the "smbd.conf" log. I checked the "secrets.tdb" and found that this did not have the "\00" on the end of the "SECRETS/MACHINE_PASSWORD/", so I ran the script at "afp548" site under forum "10.4.8 Intel - AD, Samba kerberos machine password" which added the "\00". The strange thing is that all seemed to still work even thought the "secrets.tdb" was not correct, perhaps this could be the cause of the SMB dropouts? Below is from the SMBD.LOG...

UNKNOWN_SERVER
As always with things like this, it's hard to determine whether to send this here or to openafs-info. Can anyone tell me what is going on here? This is what krb5kdc logged when I logged into 129.83.11.213. -- sshd + UsePAM -- pam_krb5.so (RHELv4) -- pam_afs_session.so (PAM session module which uses aklog to get tokens from a K5 ticket). Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167, jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not found in Kerberos database Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167, jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not found in Kerberos database Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16 tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Jeff Blaine <jblaine@kickflop.net> writes: > Can anyone tell me what is going on here? This is what > krb5kdc logged when I logged into 129.83.11.213. > -- sshd + UsePAM > -- pam_krb5.so (RHELv4) > -- pam_afs_session.so (PAM session module which uses aklog to > get tokens from a K5 ticket). > Apr 18 16:46:07 silmaril.foo.com kr...

Server not found in Kerberos database #2
Hi, I'm a Java developer and new to Kerberos. We have a Java application that needs to be authenticated against Kerberos Active Directory. For testing purpose, we have Active Directory installed on a Win 2k server. Then, the Kerberos was turned on by a co-worker, who doesn't know much about Kerberos either. Without any manual about Active Directory, he did that based on his best judgement. Here are the basic setting information: (01) The Win2k server has FQDN: devtest.mycompany.com. (02) C:\WINNT\krb5.ini file looks like: [libdefaults] default_realm = DEVTEST.COM [realms] DEVTEST.COM = { kdc = <IP address of the Win2k server> } (03) The AD is listening on port 389 (default for LDAP server), and KDC listens on port 88. When a user logs in with Java code, apparently the user can log in successfully and get ticket from Kerberos AD. However, whenever the code tries to instantiate InitialDirContext (an Object in Java that would capture the environment context), an error would be thrown claiming that "Server not found in Kerberos database". I can't find problem in the Java code and suspect the error may be related with our Kerberos setting. I wonder what exactly the error message means in Kerberos arena. How can I verify that the Kerberos is correctly set? Also, you may notice that the Kerberos realm (DEVTEST.COM) is not the same as the machine's FQDN (devtest.mycompany.com). I wonder if that makes any difference. Our code-...

Error: Server not found in Kerberos database
Hello, I want to enable someone the access to my account by using the .k5login file. I did all necessary things and immediatly started off by trying: shell% ksu toka Nevertheless I wasn't able to get toka's ID but /home/toka contains the ..k5login file with my principal. Furthermore there's the following error message: ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. ^ typo in krb5 I looked for solutions on google and discovered the url http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/ troubleshooting.html#misc_2 which describes the issue. My /etc/hosts file is fully qualified (including its entries) and the hostnames are correctly mapped to the IPs and vice versa. So where could the source of failure be located? Thanks in advance - Marcel Karras ------------------------------------------------------------------------ Contact: toka@freebits.de karma@informatik.tu-chemnitz.de http://www.freebits.de http://www.tu-chemnitz.de Unix, Linux && OpenSource Student of Chemnitz University of Technology ------------------------------------------------------------------------ ...

Server not found in Kerberos Database #4
Hi all, When do we get the error as "Server not found in Kerberos Database"? I have a KDC on Win2003 and a client which is a Linux (redhat) is trying to authenticate the users from this Active directory, which is on the win 2003 machine. I observed that in case we specify the wrong user name (which does not exist on the AD server) at the time of kinit command on Linux machine we get the error as "Client not found in Kerberos database". What is this server which is not found when I am trying to join the redhat client machine to the AD server? Thanks in advance for all the help Regards, Sayali --------------------------------- All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos > Hi all, > When do we get the error as "Server not found in Kerberos Database"? > I have a KDC on Win2003 and a client which is a Linux (redhat) is trying to authenticate the users from this Active directory, which is on the win 2003 machine. > I observed that in case we specify the wrong user name (which does not exist on the AD server) at the time of kinit command on Linux machine we get the error as "Client not found in Kerberos database". > What is this server which is not found when I am trying to j...

Server not found in Kerberos database error on ldapsearch
Good afternoon! I have the following problem: I need to connect securely to a AD and search it via ldapsearch. When I try to do so the "Server not found in Kerberos database" error appears. I'm not quite sure, why. I have extracted a keytab of the AD and kinit seems to work fine for the same user as I want to use with ldapsearch. The hosts-files are set up correctly (a ping on DNS-names looks fine). There is nothing that indicates an error in the AD-logs (only successful logons). Could anyone give me a hint, why I get this reaction? -- View this message in context: http://www.nabble.com/Server-not-found-in-Kerberos-database-error-on-ldapsearch-tf4777894.html#a13667697 Sent from the Kerberos - General mailing list archive at Nabble.com. ...

Newbie: "Server not found in Kerberos database"
I am still in 'toy installation mode'. I have set up a KDC on a Linux machine, call it kervara.mygroup.org I have successfully set things up to the point that I can kinit from various clients. I have also set up OpenSSH 3.9p1 to use GSSAPI authentication. When I am logged into kervara, and have a valid TGT from this realm, I can successfully ssh into kervara.mygroup.org without a password; the keytab contains entries for the host/kervara.mygroup.org principal. This is the way things are supposed to work. Life is good. The problem comes when I attempt to do the same thing with the same version of OpenSSH built with the same options on a Solaris machine. In that case, the server logs a "Server not found in Kerberos database" message and gives up. I have looked at all the obvious candidates (wrong DNS entry, disagreement as to host name in /etc/hosts and DNS, etc) and come up empty. Unfortunately, the log messages do not tell me _what_ principal it was trying to find in krb5.keytab (I assume that this is where the mismatch or missing entry is). Is there a way to squeeze more diagnostic information? Or does this sound like a familiar problem? In article <d17eap$ejf$1@panix5.panix.com>, urban@panix.com (Michael Urban) wrote: .... > The problem comes when I attempt to do the same thing with the same > version of OpenSSH built with the same options on a Solaris machine. > In that case, the server logs a "Server not found in Kerberos ...

RE: Server not found in Kerberos database error on ldapsearch
> You should not need these. Ok. > Some things to try: > > Wireshare or other trace program to see DNS and Kerberos requests. > This should show name of the "Server not found in Kerberos database" I captured the request dialog with wireshark and got this (the things I think are important): MSG Type: KRB-ERROR Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: EXAMPLE.COM Server Name (Unknown): krbtgt/COM Name-type: Unknown (0) Name: krbtgt Name: COM I guess that indicates an error in my krbtgt setup. But where should I search for it and what does the right setup look like? > On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf? > Is the default realm (in uppercase) the same as the AD domain name? > if not, you may need a krb5.conf, or the -R option on ldapsearch. Yes, I do have a krb5.conf on the unix side. Here it is: [libdefaults] default_realm=EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false # default_tkt_enctypes = des-cbc-md5 des-cbc-crc # default_tgs_enctypes = des-cbc-md5 des-cbc-crc kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # v4_instance_resolve = false # v4_name_convert = { [realms] EXAMPLE.COM = { kdc = 192.168.10.4:88 admin_server = 192.168.10.4:749 } [domain_realm] .example.com = EXAMPLE.COM As you can see, it is a setup for some tests... ----------------- ...

newbie: error getting credentials: Server not found in Kerberos database
Hi! I never found the time to deal intensively with kerberos so please indulge me if this is ought to be a stupid question: kinit works. krsh does not: krsh server error getting credentials: Server not found in Kerberos database trying normal rlogin (/usr/bin/rlogin) So, this is what I did so far: server: /etc/krb5.conf: [libdefaults] default_realm = LOCALDOMAIN [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 127.0.0.1 localhost 192.168.0.2 server server.localdomain real hostname is actually *not* "server"! kadmin.local: addprinc foo client: /etc/krb5.conf [libdefaults] ticket_lifetime = 600 default_realm = LOCALDOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FI...

Server not found in Kerberos database while getting a service url ticket
hello, I have added to my kerberos database the following principal: "http://localhost:8080/axis/services/test" . (It' s in a url format instead of being in the format: service/host@REALM.) So, the thing is that I would like to acquire a service ticket for that principal. To request a service ticket I am using gss api and follow the next steps: class KrbClient{ main(){ ..... //I have acquired the credentials from the ticket cache .... PrincipalName serviceName = new PrincipalName("http://localhost:8080/axis/services/test"); // create the tgs_req to ask for service tickets sun.security.krb5.KrbTgsReq tgs_req = new sun.security.krb5.KrbTgsReq(credentials, serviceName); tgs_req.send(); // get tgs_rep KrbTgsRep tgs_rep = tgs_req.getReply(); } } and it gets the folllowing error: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235) at KrbClient.requestServiceTicket(KrbClient.java:142) at KrbClient.main(KrbClient.java:39) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50) ... 3 more >From the debugging of gss api: >>>KRBError: sTime is Mon ...

RE: Server not found in Kerberos database error on ldapsearch #2
I don't know, if I got you right (I'm not quite good in networks and especially AD; thats a new thing for me, so I'm a noob) So I just ask again: Douglas E. Engert wrote > > I captured the request dialog with wireshark and got this > (the things I think > > are important): > > > > MSG Type: KRB-ERROR > > Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > > Realm: EXAMPLE.COM > > Server Name (Unknown): krbtgt/COM > > Name-type: Unknown (0) > > Name: krbtgt > > Name: COM > > This looks like cross realm, where the client is working its > way up the realm > tree to get the the realm of the server, say AD.DOMAIN.COM. > Client is using TGT > from EXAMPLE.COM to get TGT for realm COM (which does not > exist) If it did, it > would then try and get a TGT from COM for DOMAIN.COM, then > get one from > AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM. > > I thought you where trying to use Active Directory, and the > domain name > was something like ad.domain.com. So why does you unix system have > a realm named EXAMPLE.COM? Have you setup cross realm trust > between them? > > If you are not using cross-real, then you should be using the > AD domain name as > the realm name. It should have a realm named AD.DOMAIN.COM. > Either the user and server must be in the same realm, or you > need cross realm > trust. The domai...

OS 10.3.3 SERVER AND KERBEROS?
Is anyone having problems making AFP work with Open Directory and Kerberos? ...

Subject: Help needed on "Server not found in Kerberos Database" while using "mod_auth_kerb+Apache"
Hi, My Kerberos Setup is as follows- Kerberos v5 Server- example.domain.com (Linux Box) Kerberos Realm- EXAMPLE.COM Registered User on Kerberos realm- test@EXAMPLE.COM Apache Server(with mod_auth_kerb) can be accessed as: http://apache.domain.com (Linux Box) Now I have added a principal name- HTTP/apache.domain.com@EXAMPLE.COM using the addprinc command. I have generated a keytab file for this principal (using ktadd) and then transferred it to the Apache Server(apache.domain.com). I have pointed to this keytab file in ..htaccess file. Now when I try to access APACHE.DOMAIN.COM:80 through a browser(IE) running on my desktop say CLIENT1.DOMAIN.COM, and give the proper user credentials...it doesnt authenticate. When I look this up in the Kerberos log file (krb5kdc.log) it gives the following messages...for the event- Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: ISSUE: authtime 1089292954, etypes {rep=16 tkt=16 ses=16}, test@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime 1089292954, test@EXAMPLE.COM for krbtgt/REALM1.COM@EXAMPLE.COM, Server not found in Kerberos database Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime 1089292954, test@EXAMPLE.COM for krbtgt/COM@EXAMPLE.COM, Server not found i...

OS X 10.3.3 SERVER AND KERBEROS
Is anyone having problems making AFP work with Open Directory and Kerberos? ...

Client not found in Kerberos database
I get this from typing 'kadmin' on the commandline of the KDC server itself. I have my own account on there which I can log into from gkadmin. Client not found in Kerberos database while initializing kadmin interface Regards, Jason. -------------------------- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos What did you try ? I think this is a RTFM question. On Wed, 2004-01-14 at 05:20, Jason Oakley wrote: > I get this from typing 'kadmin' on the commandline of the KDC server itself. > I have my own account on there which I can log into from gkadmin. > > > Client not found in Kerberos database while initializing kadmin interface > > > > Regards, > > Jason. > > -------------------------- > Jason Oakley +612 82821434 > Open and Intel Systems > Systems Administrator > http://www.eds.com > > Add a dab of lavender to milk > Leave town with an orange > and pretend you are laughing at it > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- ...

Client not found in Kerberos database while...
Hi My overall project is to get a Debian Sarge mail/samba-server to connect with a Windows server 2003, but i'm having problem with the kerberos/LPAD connection. I started uot with this guide: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 And i got all the components (Have_KRB5_H and etc.), but no connection.. If i test the conn with: kinit administrator@DOM.NET kinit(v5): Client not found in Kerberos database while getting initial credentials And if i test with: kinit administrator@dom.net kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials So in general I'm having trouble defining what is what and what to install. When typing my "Kerberos server" in the conf i put in the windows-server, but should that be the linuxserver? And have much should i install on the linuxserver to make it into a "kerberos server". I already got these. libpam-krb5 krb5-user krb5-doc krb5-config krb5-kdc libkrb53 ----- krb5.conf ----------- [libdefaults] default_realm = DOM.NET [realms] DOM.NET = { kdc = WINDOWSSERVER.DOM.NET } [domain_realms] .kerberos.server = DOM.NET Hope anyone can guide me through this... /Lars ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Client not found in Kerberos database #2
Hi, I have an Intel xseve 10.4.9 server bound to AD and also have OD configured on the same server for Mac management. Other services running are AFP and WINDOWS. I will also be using the same server as a file server for both Mac and Windows. Below are my issues. When the WINDOWS service starts on our Intel Xserve with 10.4.9 installed I receive the below error message. I have tested single sign on "SSO" from Mac and Windows systems and everything seems to work, but am concerned that this error may cause an issue at a later date. I also have an issue with windows users suddenly not being able to connect to a share on the Intel Xserve via SMB which is strange as the same user on a Mac could still connect via AFP or SMB a restart of the WINDOWS service seems to clear this problem, not sure if this is related to the below error but it's a real issue and seems to be very random. When this happen I seem to receive "broken pipe" errors in the "smbd.conf" log. I checked the "secrets.tdb" and found that this did not have the "\00" on the end of the "SECRETS/MACHINE_PASSWORD/", so I ran the script at "afp548" site under forum "10.4.8 Intel - AD, Samba kerberos machine password" which added the "\00". The strange thing is that all seemed to still work even thought the "secrets.tdb" was not correct, perhaps this could be the cause of the SMB dropouts? Below is from the SMBD.LOG...

Client not found in Kerberos database #4
Hi folks, My site uses Debian squeeze for both workstations and servers with MIT Kerberos 1.8.3 for authentication. Although there are generally no complaints, from time to time users say that the workstations do not accept their passwords on the first attempt, even when they anticipate the issue and made a conscious effort to not make any mistakes. Upon examination of the KDC logs, I find some evidence to support their claims. The most obvious is this error: CLIENT_NOT_FOUND: jsmith@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Client not found in Kerberos database In most cases the login name is not not spelled correctly, or there is nothing like it in the database at all, but in others there is nothing wrong. Yet, this error occurs anyway. Does anyone have an explanation for this phenomenon? Thanks, Jaap ...

RE: MIT Kerberos and Solaris 10 Kerberos
<laugh> Yup, I learned (the hard way!) to always stay logged in to a console session as root. R > Make sure you have a root window open before testing PAM. I > stumbled on > this when I tried to su and my test pam exit failed! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...