f



Server not found in Kerberos database while getting a service url ticket

hello,
I have added to my kerberos database the following principal:
"http://localhost:8080/axis/services/test" .
(It' s in a url format instead of  being in the format:
service/host@REALM.)
So, the thing is that I would like to acquire a service ticket for that
principal.
To request a service ticket I am using gss api and follow the next
steps:

class KrbClient{
main(){
.....
//I have acquired the credentials from the ticket cache
....
PrincipalName serviceName = new
PrincipalName("http://localhost:8080/axis/services/test");

// create the tgs_req to ask for service tickets
sun.security.krb5.KrbTgsReq tgs_req = new
sun.security.krb5.KrbTgsReq(credentials, serviceName);

tgs_req.send();

// get tgs_rep
KrbTgsRep tgs_rep = tgs_req.getReply();
}
}

and it gets the folllowing error:

KrbException: Server not found in Kerberos database (7)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67)
	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235)
	at KrbClient.requestServiceTicket(KrbClient.java:142)
	at KrbClient.main(KrbClient.java:39)
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134)
	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59)
	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50)
	... 3 more

>From the debugging of gss api:
>>>KRBError:
	 sTime is Mon May 22 19:07:26 EEST 2006 1148314046000
	 suSec is 722233
	 error code is 7
	 error Message is Server not found in Kerberos database
	 crealm is GRID.ORG
	 cname is vpouli
	 realm is GRID.ORG
	 sname is http://localhost:8080/axis/services/test

>From the kdc log file:
2006-05-22T19:40:59 TGS-REQ vpouli@GRID.ORG from IPv4:147.102.183.137
for http:/\/localhost:8080/axis/services/test@GRID.ORG
2006-05-22T19:40:59 Server not found in database:
http:/\/localhost:8080/axis/services/test@GRID.ORG: No such entry in
the database
2006-05-22T19:40:59 sending 155 bytes to IPv4:147.102.183.137

What I see, is that when I request a ticket for a service principal
which contains "//" (like in http://localhost....) it puts an escape
character '\' between '//'  and tries to find "http:/\/localhost..."
instead of "http://localhost....".

Is there something I can do about it?

0
vpouli (6)
5/22/2006 5:01:54 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

4 Replies
1801 Views

Similar Articles

[PageSpeed] 56

>>>>> "vpouli" == vpouli  <vpouli@gmail.com> writes:

    vpouli> hello, I have added to my kerberos database the following
    vpouli> principal: "http://localhost:8080/axis/services/test" .  (It'
    vpouli> s in a url format instead of being in the format:
    vpouli> service/host@REALM.)

That is not a principal name -- at least, not one you can use; it has 6
instances, one of which is null.

The usual service principal for an HTTP server is HTTP/fqdn@REALM.

-- 
  Richard Silverman
  res@qoxp.net

0
res49 (1410)
5/23/2006 5:49:52 AM

vpouli wrote:

> hello,
> I have added to my kerberos database the following principal:
> "http://localhost:8080/axis/services/test" .
> (It' s in a url format instead of  being in the format:
> service/host@REALM.)

Even if you could add this, the use of localhost is relative to the
local host and is not unique. Principals normally have service/FQDN@realm.

What you should be using isw HTTP/your.full.host.name

> So, the thing is that I would like to acquire a service ticket for that
> principal.
> To request a service ticket I am using gss api and follow the next
> steps:
> 
> class KrbClient{
> main(){
> ....
> //I have acquired the credentials from the ticket cache
> ...
> PrincipalName serviceName = new
> PrincipalName("http://localhost:8080/axis/services/test");
> 
> // create the tgs_req to ask for service tickets
> sun.security.krb5.KrbTgsReq tgs_req = new
> sun.security.krb5.KrbTgsReq(credentials, serviceName);
> 
> tgs_req.send();
> 
> // get tgs_rep
> KrbTgsRep tgs_rep = tgs_req.getReply();
> }
> }
> 
> and it gets the folllowing error:
> 
> KrbException: Server not found in Kerberos database (7)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67)
> 	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235)
> 	at KrbClient.requestServiceTicket(KrbClient.java:142)
> 	at KrbClient.main(KrbClient.java:39)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134)
> 	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59)
> 	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50)
> 	... 3 more
> 
>>From the debugging of gss api:
> 
>>>>KRBError:
> 
> 	 sTime is Mon May 22 19:07:26 EEST 2006 1148314046000
> 	 suSec is 722233
> 	 error code is 7
> 	 error Message is Server not found in Kerberos database
> 	 crealm is GRID.ORG
> 	 cname is vpouli
> 	 realm is GRID.ORG
> 	 sname is http://localhost:8080/axis/services/test
> 
>>From the kdc log file:
> 2006-05-22T19:40:59 TGS-REQ vpouli@GRID.ORG from IPv4:147.102.183.137
> for http:/\/localhost:8080/axis/services/test@GRID.ORG
> 2006-05-22T19:40:59 Server not found in database:
> http:/\/localhost:8080/axis/services/test@GRID.ORG: No such entry in
> the database
> 2006-05-22T19:40:59 sending 155 bytes to IPv4:147.102.183.137
> 
> What I see, is that when I request a ticket for a service principal
> which contains "//" (like in http://localhost....) it puts an escape
> character '\' between '//'  and tries to find "http:/\/localhost..."
> instead of "http://localhost....".
> 
> Is there something I can do about it?
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
5/23/2006 1:54:49 PM
I didn't put "localhost", I put my.full.host.name. I just put
'localhost' here for showing an example. I didn't want to stand on
that, I just wanted to ask if there is a way to ask for a service
ticket when the service contains '//' like in http://fqdn/service.

0
vpouli (6)
5/23/2006 10:19:27 PM
>>>>> "vpouli" == vpouli  <vpouli@gmail.com> writes:

    vpouli> I didn't put "localhost", I put my.full.host.name. I just put
    vpouli> 'localhost' here for showing an example. I didn't want to
    vpouli> stand on that, I just wanted to ask if there is a way to ask
    vpouli> for a service ticket when the service contains '//' like in
    vpouli> http://fqdn/service.

You completely misunderstand how this all works.  That is a URL.  From the
URL, the Kerberos client constructs a principal name for the HTTP service
on the named host (which cannot be "localhost").  That principal is of the
form: HTTP/<fqdn of server>@<REALM of server>

-- 
  Richard Silverman
  res@qoxp.net

0
res49 (1410)
5/23/2006 10:56:23 PM
Reply:

Similar Artilces:

newbie: error getting credentials: Server not found in Kerberos database
Hi! I never found the time to deal intensively with kerberos so please indulge me if this is ought to be a stupid question: kinit works. krsh does not: krsh server error getting credentials: Server not found in Kerberos database trying normal rlogin (/usr/bin/rlogin) So, this is what I did so far: server: /etc/krb5.conf: [libdefaults] default_realm = LOCALDOMAIN [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 127.0.0.1 localhost 192.168.0.2 server server.localdomain real hostname is actually *not* "server"! kadmin.local: addprinc foo client: /etc/krb5.conf [libdefaults] ticket_lifetime = 600 default_realm = LOCALDOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FI...

AD Server returning server not found kerberos database
Hi all, I am using MIT Kerberos to mutually authenticate with other user (Kerberos Server: AD Server), It is working fine with my newly installed active directory .But when I try to work with my Company AD Server to get service ticket for particular user I am getting "Server not found in Kerberos Database", But that user is there in AD . any option can change to get it work . I want to to know which option in ad makes mutual authentication between user and user makes fail. Do I need to use setspn to add service principle?? Please help me Regards, Eswar S **************************************************************************** *********** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ...

Server not found in Kerberos database #2
Hi, I'm a Java developer and new to Kerberos. We have a Java application that needs to be authenticated against Kerberos Active Directory. For testing purpose, we have Active Directory installed on a Win 2k server. Then, the Kerberos was turned on by a co-worker, who doesn't know much about Kerberos either. Without any manual about Active Directory, he did that based on his best judgement. Here are the basic setting information: (01) The Win2k server has FQDN: devtest.mycompany.com. (02) C:\WINNT\krb5.ini file looks like: [libdefaults] default_realm = DEVTEST.COM [realms] DEVTEST.COM = { kdc = <IP address of the Win2k server> } (03) The AD is listening on port 389 (default for LDAP server), and KDC listens on port 88. When a user logs in with Java code, apparently the user can log in successfully and get ticket from Kerberos AD. However, whenever the code tries to instantiate InitialDirContext (an Object in Java that would capture the environment context), an error would be thrown claiming that "Server not found in Kerberos database". I can't find problem in the Java code and suspect the error may be related with our Kerberos setting. I wonder what exactly the error message means in Kerberos arena. How can I verify that the Kerberos is correctly set? Also, you may notice that the Kerberos realm (DEVTEST.COM) is not the same as the machine's FQDN (devtest.mycompany.com). I wonder if that makes any difference. Our code-...

Server not found in Kerberos database #3
This is a multi-part message in MIME format. --------------010801060200000807020407 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit hello list, we want to use kerberos for authentication and to secure connections for telnet sessions. so i installed kerberos v5 for the debian system via apt-get and did the configuration. attached are the configs for this system. kinit works for a user, but the start of a telnet session is refused with the message "Authentication failed". i used the command "kinit stefan" and "telnet.krb5 -a -F vxr-r.imos.net." "vxr-r.imos.net" is the cisco router i want to connect to. when i look into the logs i see the following messages: Nov 11 09:49:28 alpha krb5kdc[8745](info): AS_REQ (1 etypes {1}) 192.168.3.3(16417): NEEDED_PREAUTH: stefan@IMOS.NET for krbtgt/IMOS.NET@IMOS.NET, Additional pre-authentication required Nov 11 09:49:30 alpha krb5kdc[8745](info): AS_REQ (1 etypes {1}) 192.168.3.3(16417): ISSUE: authtime 1100162970, etypes {rep=1 tkt=16 ses=1}, stefan@IMOS.NET for krbtgt/IMOS.NET@IMOS.NET Nov 11 09:49:33 alpha krb5kdc[8745](info): TGS_REQ (1 etypes {1}) 192.168.3.3(16417): UNKNOWN_SERVER: authtime 1100162970, stefan@IMOS.NET for host/vxr-r.imos.net@IMOS.NET, Server not found in Kerberos database Nov 11 09:49:33 alpha krb5kdc[8745](info): TGS_REQ (1 etypes {1}) 192.168.3.3(16417): UNKNOWN_SERVER: authtime 1100162970, stefan@IMOS.NET for host/vxr...

Error: Server not found in Kerberos database
Hello, I want to enable someone the access to my account by using the .k5login file. I did all necessary things and immediatly started off by trying: shell% ksu toka Nevertheless I wasn't able to get toka's ID but /home/toka contains the ..k5login file with my principal. Furthermore there's the following error message: ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. ^ typo in krb5 I looked for solutions on google and discovered the url http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/ troubleshooting.html#misc_2 which describes the issue. My /etc/hosts file is fully qualified (including its entries) and the hostnames are correctly mapped to the IPs and vice versa. So where could the source of failure be located? Thanks in advance - Marcel Karras ------------------------------------------------------------------------ Contact: toka@freebits.de karma@informatik.tu-chemnitz.de http://www.freebits.de http://www.tu-chemnitz.de Unix, Linux && OpenSource Student of Chemnitz University of Technology ------------------------------------------------------------------------ ...

Server not found in Kerberos Database #4
Hi all, When do we get the error as "Server not found in Kerberos Database"? I have a KDC on Win2003 and a client which is a Linux (redhat) is trying to authenticate the users from this Active directory, which is on the win 2003 machine. I observed that in case we specify the wrong user name (which does not exist on the AD server) at the time of kinit command on Linux machine we get the error as "Client not found in Kerberos database". What is this server which is not found when I am trying to join the redhat client machine to the AD server? Thanks in advance for all the help Regards, Sayali --------------------------------- All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos > Hi all, > When do we get the error as "Server not found in Kerberos Database"? > I have a KDC on Win2003 and a client which is a Linux (redhat) is trying to authenticate the users from this Active directory, which is on the win 2003 machine. > I observed that in case we specify the wrong user name (which does not exist on the AD server) at the time of kinit command on Linux machine we get the error as "Client not found in Kerberos database". > What is this server which is not found when I am trying to j...

UNKNOWN_SERVER
As always with things like this, it's hard to determine whether to send this here or to openafs-info. Can anyone tell me what is going on here? This is what krb5kdc logged when I logged into 129.83.11.213. -- sshd + UsePAM -- pam_krb5.so (RHELv4) -- pam_afs_session.so (PAM session module which uses aklog to get tokens from a K5 ticket). Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167, jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not found in Kerberos database Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167, jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not found in Kerberos database Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16 tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Jeff Blaine <jblaine@kickflop.net> writes: > Can anyone tell me what is going on here? This is what > krb5kdc logged when I logged into 129.83.11.213. > -- sshd + UsePAM > -- pam_krb5.so (RHELv4) > -- pam_afs_session.so (PAM session module which uses aklog to > get tokens from a K5 ticket). > Apr 18 16:46:07 silmaril.foo.com kr...

Server not found in Kerberos database error on ldapsearch
Good afternoon! I have the following problem: I need to connect securely to a AD and search it via ldapsearch. When I try to do so the "Server not found in Kerberos database" error appears. I'm not quite sure, why. I have extracted a keytab of the AD and kinit seems to work fine for the same user as I want to use with ldapsearch. The hosts-files are set up correctly (a ping on DNS-names looks fine). There is nothing that indicates an error in the AD-logs (only successful logons). Could anyone give me a hint, why I get this reaction? -- View this message in context: http://www.nabble.com/Server-not-found-in-Kerberos-database-error-on-ldapsearch-tf4777894.html#a13667697 Sent from the Kerberos - General mailing list archive at Nabble.com. ...

RE: Server not found in Kerberos database error on ldapsearch
> You should not need these. Ok. > Some things to try: > > Wireshare or other trace program to see DNS and Kerberos requests. > This should show name of the "Server not found in Kerberos database" I captured the request dialog with wireshark and got this (the things I think are important): MSG Type: KRB-ERROR Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: EXAMPLE.COM Server Name (Unknown): krbtgt/COM Name-type: Unknown (0) Name: krbtgt Name: COM I guess that indicates an error in my krbtgt setup. But where should I search for it and what does the right setup look like? > On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf? > Is the default realm (in uppercase) the same as the AD domain name? > if not, you may need a krb5.conf, or the -R option on ldapsearch. Yes, I do have a krb5.conf on the unix side. Here it is: [libdefaults] default_realm=EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false # default_tkt_enctypes = des-cbc-md5 des-cbc-crc # default_tgs_enctypes = des-cbc-md5 des-cbc-crc kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # v4_instance_resolve = false # v4_name_convert = { [realms] EXAMPLE.COM = { kdc = 192.168.10.4:88 admin_server = 192.168.10.4:749 } [domain_realm] .example.com = EXAMPLE.COM As you can see, it is a setup for some tests... ----------------- ...

Newbie: "Server not found in Kerberos database"
I am still in 'toy installation mode'. I have set up a KDC on a Linux machine, call it kervara.mygroup.org I have successfully set things up to the point that I can kinit from various clients. I have also set up OpenSSH 3.9p1 to use GSSAPI authentication. When I am logged into kervara, and have a valid TGT from this realm, I can successfully ssh into kervara.mygroup.org without a password; the keytab contains entries for the host/kervara.mygroup.org principal. This is the way things are supposed to work. Life is good. The problem comes when I attempt to do the same thing with the same version of OpenSSH built with the same options on a Solaris machine. In that case, the server logs a "Server not found in Kerberos database" message and gives up. I have looked at all the obvious candidates (wrong DNS entry, disagreement as to host name in /etc/hosts and DNS, etc) and come up empty. Unfortunately, the log messages do not tell me _what_ principal it was trying to find in krb5.keytab (I assume that this is where the mismatch or missing entry is). Is there a way to squeeze more diagnostic information? Or does this sound like a familiar problem? In article <d17eap$ejf$1@panix5.panix.com>, urban@panix.com (Michael Urban) wrote: .... > The problem comes when I attempt to do the same thing with the same > version of OpenSSH built with the same options on a Solaris machine. > In that case, the server logs a "Server not found in Kerberos ...

RE: Server not found in Kerberos database error on ldapsearch #2
I don't know, if I got you right (I'm not quite good in networks and especially AD; thats a new thing for me, so I'm a noob) So I just ask again: Douglas E. Engert wrote > > I captured the request dialog with wireshark and got this > (the things I think > > are important): > > > > MSG Type: KRB-ERROR > > Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > > Realm: EXAMPLE.COM > > Server Name (Unknown): krbtgt/COM > > Name-type: Unknown (0) > > Name: krbtgt > > Name: COM > > This looks like cross realm, where the client is working its > way up the realm > tree to get the the realm of the server, say AD.DOMAIN.COM. > Client is using TGT > from EXAMPLE.COM to get TGT for realm COM (which does not > exist) If it did, it > would then try and get a TGT from COM for DOMAIN.COM, then > get one from > AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM. > > I thought you where trying to use Active Directory, and the > domain name > was something like ad.domain.com. So why does you unix system have > a realm named EXAMPLE.COM? Have you setup cross realm trust > between them? > > If you are not using cross-real, then you should be using the > AD domain name as > the realm name. It should have a realm named AD.DOMAIN.COM. > Either the user and server must be in the same realm, or you > need cross realm > trust. The domai...

RE: Server not found in Kerberos database error on ldapsearch #3
Ok, I got it now! I set up the AD server to run as ad.example.com and replaced the ip's in my krb5.conf with dns names and now it works! Thank you very much for your help. Still, if you have any howto on this topic (AD and UNIX), I would apreciate if you could send me a link to it. Evgeniy Zhaovsky (aka Jeck) ----------------- Evgeniy Zharovsky Ludwig-Maximilians-Universitaet Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste) Martiusstr. 4 / 207 80539 Muenchen email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de ...

Subject: Help needed on "Server not found in Kerberos Database" while using "mod_auth_kerb+Apache"
Hi, My Kerberos Setup is as follows- Kerberos v5 Server- example.domain.com (Linux Box) Kerberos Realm- EXAMPLE.COM Registered User on Kerberos realm- test@EXAMPLE.COM Apache Server(with mod_auth_kerb) can be accessed as: http://apache.domain.com (Linux Box) Now I have added a principal name- HTTP/apache.domain.com@EXAMPLE.COM using the addprinc command. I have generated a keytab file for this principal (using ktadd) and then transferred it to the Apache Server(apache.domain.com). I have pointed to this keytab file in ..htaccess file. Now when I try to access APACHE.DOMAIN.COM:80 through a browser(IE) running on my desktop say CLIENT1.DOMAIN.COM, and give the proper user credentials...it doesnt authenticate. When I look this up in the Kerberos log file (krb5kdc.log) it gives the following messages...for the event- Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: ISSUE: authtime 1089292954, etypes {rep=16 tkt=16 ses=16}, test@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime 1089292954, test@EXAMPLE.COM for krbtgt/REALM1.COM@EXAMPLE.COM, Server not found in Kerberos database Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime 1089292954, test@EXAMPLE.COM for krbtgt/COM@EXAMPLE.COM, Server not found i...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Client not found in Kerberos database while...
Hi My overall project is to get a Debian Sarge mail/samba-server to connect with a Windows server 2003, but i'm having problem with the kerberos/LPAD connection. I started uot with this guide: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 And i got all the components (Have_KRB5_H and etc.), but no connection.. If i test the conn with: kinit administrator@DOM.NET kinit(v5): Client not found in Kerberos database while getting initial credentials And if i test with: kinit administrator@dom.net kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials So in general I'm having trouble defining what is what and what to install. When typing my "Kerberos server" in the conf i put in the windows-server, but should that be the linuxserver? And have much should i install on the linuxserver to make it into a "kerberos server". I already got these. libpam-krb5 krb5-user krb5-doc krb5-config krb5-kdc libkrb53 ----- krb5.conf ----------- [libdefaults] default_realm = DOM.NET [realms] DOM.NET = { kdc = WINDOWSSERVER.DOM.NET } [domain_realms] .kerberos.server = DOM.NET Hope anyone can guide me through this... /Lars ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos service ticket size
Hi, I am trying to send a kerberos service ticket in a HL7 v2.3.1 and I need to mkae the ticket smaller so it can fit in 199 characters (base64 encoding), is it possible to get a ticket that size? I tried using different Encryption Types but I did not obtain a small enough ticket. Thank you in advance, Cosmin ...

Problem in get ticket from Kerberos
Hello I have problem for get tickets from kerberos in my Centos 5.2, when I type this command /usr/local/kerberos/bin/kinit admin@LABCOM.UNASP Show this message kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP while getting initial credentials I don=B4t understand why this message !!! My DNS is work , I can resolve th= e domain (LABCOM.UNASP) nslookup labcom.unasp Server: 192.168.4.66 Address: 192.168.4.66#53 Name: labcom.unasp Address: 192.168.4.2 My DNS server is on Windows 2003 Server , this command kinit was tested fro= m the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow = I paste kr5b.conf [libdefaults] # determines your default realm name default_realm =3D LABCOM.UNASP default_tgs_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes =3D des3-hmac-sha1 des-cbc-crc des-cbc-md5 kdc_timesync =3D 1 ccache_type =3D 4 forwardable =3D true proxiable =3D true [realms] LABCOM.UNASP =3D { # specifies where the servers are and on # which ports they listen (88 and 749 are # the standard ports) kdc =3D kdc.AmbLivre:88 admin_server =3D kdc.AmbLivre:749 default_domain =3D labcom.unasp } [domain_realm] # maps your DNS domain name to your Kerberos # realm name .labcom.unasp =3D LABCOM.UNASP labcom. =3D LABCOM.UNASP [kdc] p...

Kerberos service ticket issue!!!
Hello everybody, We are in the process of implementing Kerberos Authentication (Single Sign On) using JAAS. We've been facing a problem to which we (and everybody we've approached so far :) ) have no solution since many weeks. We're trying to get the service ticket from the KDC but unable to. (NOTE - The client and the service are in different realms.) Java throws the following exception: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) When we monitor the packets, we observed the below errors: KRB_ERR_RESPONSE_TOO_BIG KDC_ERR_WRONG_REALM We have tried setting the Registry value as mentioned in the other posts, but to no avail. Any solution please? It would be gratefully appreciated !! Priya B wrote: > Hello everybody, > > We are in the process of implementing Kerberos Authentication (Single > Sign On) using JAAS. We've been facing a problem to which we (and > everybody we've approached so far :) ) have no solution since many > weeks. What version of Java? > > We're trying to get the service ticket from the KDC but unable to. > (NOTE - The client and the service are in different realms.) Do you have cross realm setup between the two realms? Do you have the krb5.conf on the client setup for cross realm? > > Java throws the following exception: > GSSException: No valid credentials provided (Mechanism level: Fail to > create credential. ...

Client not found in Kerberos database
I get this from typing 'kadmin' on the commandline of the KDC server itself. I have my own account on there which I can log into from gkadmin. Client not found in Kerberos database while initializing kadmin interface Regards, Jason. -------------------------- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos What did you try ? I think this is a RTFM question. On Wed, 2004-01-14 at 05:20, Jason Oakley wrote: > I get this from typing 'kadmin' on the commandline of the KDC server itself. > I have my own account on there which I can log into from gkadmin. > > > Client not found in Kerberos database while initializing kadmin interface > > > > Regards, > > Jason. > > -------------------------- > Jason Oakley +612 82821434 > Open and Intel Systems > Systems Administrator > http://www.eds.com > > Add a dab of lavender to milk > Leave town with an orange > and pretend you are laughing at it > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- ...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Client not found in Kerberos database #3
Hi, I have an Intel xseve 10.4.9 server bound to AD and also have OD configured on the same server for Mac management. Other services running are AFP and WINDOWS. I will also be using the same server as a file server for both Mac and Windows. Below are my issues. When the WINDOWS service starts on our Intel Xserve with 10.4.9 installed I receive the below error message. I have tested single sign on "SSO" from Mac and Windows systems and everything seems to work, but am concerned that this error may cause an issue at a later date. I also have an issue with windows users suddenly not being able to connect to a share on the Intel Xserve via SMB which is strange as the same user on a Mac could still connect via AFP or SMB a restart of the WINDOWS service seems to clear this problem, not sure if this is related to the below error but it's a real issue and seems to be very random. When this happen I seem to receive "broken pipe" errors in the "smbd.conf" log. I checked the "secrets.tdb" and found that this did not have the "\00" on the end of the "SECRETS/MACHINE_PASSWORD/", so I ran the script at "afp548" site under forum "10.4.8 Intel - AD, Samba kerberos machine password" which added the "\00". The strange thing is that all seemed to still work even thought the "secrets.tdb" was not correct, perhaps this could be the cause of the SMB dropouts? Below is from the SMBD.LOG...

Client not found in Kerberos database #4
Hi folks, My site uses Debian squeeze for both workstations and servers with MIT Kerberos 1.8.3 for authentication. Although there are generally no complaints, from time to time users say that the workstations do not accept their passwords on the first attempt, even when they anticipate the issue and made a conscious effort to not make any mistakes. Upon examination of the KDC logs, I find some evidence to support their claims. The most obvious is this error: CLIENT_NOT_FOUND: jsmith@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Client not found in Kerberos database In most cases the login name is not not spelled correctly, or there is nothing like it in the database at all, but in others there is nothing wrong. Yet, this error occurs anyway. Does anyone have an explanation for this phenomenon? Thanks, Jaap ...

Client not found in Kerberos database #2
Hi, I have an Intel xseve 10.4.9 server bound to AD and also have OD configured on the same server for Mac management. Other services running are AFP and WINDOWS. I will also be using the same server as a file server for both Mac and Windows. Below are my issues. When the WINDOWS service starts on our Intel Xserve with 10.4.9 installed I receive the below error message. I have tested single sign on "SSO" from Mac and Windows systems and everything seems to work, but am concerned that this error may cause an issue at a later date. I also have an issue with windows users suddenly not being able to connect to a share on the Intel Xserve via SMB which is strange as the same user on a Mac could still connect via AFP or SMB a restart of the WINDOWS service seems to clear this problem, not sure if this is related to the below error but it's a real issue and seems to be very random. When this happen I seem to receive "broken pipe" errors in the "smbd.conf" log. I checked the "secrets.tdb" and found that this did not have the "\00" on the end of the "SECRETS/MACHINE_PASSWORD/", so I ran the script at "afp548" site under forum "10.4.8 Intel - AD, Samba kerberos machine password" which added the "\00". The strange thing is that all seemed to still work even thought the "secrets.tdb" was not correct, perhaps this could be the cause of the SMB dropouts? Below is from the SMBD.LOG...

Web resources about - Server not found in Kerberos database while getting a service url ticket - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 2:21:22 PM