AD Server returning server not found kerberos database
Hi all, I am using MIT Kerberos to mutually authenticate with other user (Kerberos Server: AD Server), It is working fine with my newly installed active directory .But when I try to work with my Company AD Server to get service ticket for particular user I am getting "Server not found in Kerberos Database", But that user is there in AD . any option can change to get it work . I want to to know which option in ad makes mutual authentication between user and user makes fail. Do I need to use setspn to add service principle?? Please help me Regards, Eswar S **************************************************************************** *********** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ...

Server not found in Kerberos database #3
This is a multi-part message in MIME format. --------------010801060200000807020407 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit hello list, we want to use kerberos for authentication and to secure connections for telnet sessions. so i installed kerberos v5 for the debian system via apt-get and did the configuration. attached are the configs for this system. kinit works for a user, but the start of a telnet session is refused with the message "Authentication failed". i used the command "kinit stefan" and "telnet.krb5 -a -F vxr-r.imos.net." "vxr-r.imos.net" is the cisco router i want to connect to. when i look into the logs i see the following messages: Nov 11 09:49:28 alpha krb5kdc[8745](info): AS_REQ (1 etypes {1}) 192.168.3.3(16417): NEEDED_PREAUTH: stefan@IMOS.NET for krbtgt/IMOS.NET@IMOS.NET, Additional pre-authentication required Nov 11 09:49:30 alpha krb5kdc[8745](info): AS_REQ (1 etypes {1}) 192.168.3.3(16417): ISSUE: authtime 1100162970, etypes {rep=1 tkt=16 ses=1}, stefan@IMOS.NET for krbtgt/IMOS.NET@IMOS.NET Nov 11 09:49:33 alpha krb5kdc[8745](info): TGS_REQ (1 etypes {1}) 192.168.3.3(16417): UNKNOWN_SERVER: authtime 1100162970, stefan@IMOS.NET for host/vxr-r.imos.net@IMOS.NET, Server not found in Kerberos database Nov 11 09:49:33 alpha krb5kdc[8745](info): TGS_REQ (1 etypes {1}) 192.168.3.3(16417): UNKNOWN_SERVER: authtime 1100162970, stefan@IMOS.NET for host/vxr...

Client not found in Kerberos database #4
Hi folks, My site uses Debian squeeze for both workstations and servers with MIT Kerberos 1.8.3 for authentication. Although there are generally no complaints, from time to time users say that the workstations do not accept their passwords on the first attempt, even when they anticipate the issue and made a conscious effort to not make any mistakes. Upon examination of the KDC logs, I find some evidence to support their claims. The most obvious is this error: CLIENT_NOT_FOUND: jsmith@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Client not found in Kerberos database In most cases the login name is not not spelled correctly, or there is nothing like it in the database at all, but in others there is nothing wrong. Yet, this error occurs anyway. Does anyone have an explanation for this phenomenon? Thanks, Jaap ...

UNKNOWN_SERVER
As always with things like this, it's hard to determine whether to send this here or to openafs-info. Can anyone tell me what is going on here? This is what krb5kdc logged when I logged into 129.83.11.213. -- sshd + UsePAM -- pam_krb5.so (RHELv4) -- pam_afs_session.so (PAM session module which uses aklog to get tokens from a K5 ticket). Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167, jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not found in Kerberos database Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167, jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not found in Kerberos database Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1 etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16 tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Jeff Blaine <jblaine@kickflop.net> writes: > Can anyone tell me what is going on here? This is what > krb5kdc logged when I logged into 129.83.11.213. > -- sshd + UsePAM > -- pam_krb5.so (RHELv4) > -- pam_afs_session.so (PAM session module which uses aklog to > get tokens from a K5 ticket). > Apr 18 16:46:07 silmaril.foo.com kr...

Server not found in Kerberos database #2
Hi, I'm a Java developer and new to Kerberos. We have a Java application that needs to be authenticated against Kerberos Active Directory. For testing purpose, we have Active Directory installed on a Win 2k server. Then, the Kerberos was turned on by a co-worker, who doesn't know much about Kerberos either. Without any manual about Active Directory, he did that based on his best judgement. Here are the basic setting information: (01) The Win2k server has FQDN: devtest.mycompany.com. (02) C:\WINNT\krb5.ini file looks like: [libdefaults] default_realm = DEVTEST.COM [realms] DEVTEST.COM = { kdc = <IP address of the Win2k server> } (03) The AD is listening on port 389 (default for LDAP server), and KDC listens on port 88. When a user logs in with Java code, apparently the user can log in successfully and get ticket from Kerberos AD. However, whenever the code tries to instantiate InitialDirContext (an Object in Java that would capture the environment context), an error would be thrown claiming that "Server not found in Kerberos database". I can't find problem in the Java code and suspect the error may be related with our Kerberos setting. I wonder what exactly the error message means in Kerberos arena. How can I verify that the Kerberos is correctly set? Also, you may notice that the Kerberos realm (DEVTEST.COM) is not the same as the machine's FQDN (devtest.mycompany.com). I wonder if that makes any difference. Our code-...

Error: Server not found in Kerberos database
Hello, I want to enable someone the access to my account by using the .k5login file. I did all necessary things and immediatly started off by trying: shell% ksu toka Nevertheless I wasn't able to get toka's ID but /home/toka contains the ..k5login file with my principal. Furthermore there's the following error message: ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. ^ typo in krb5 I looked for solutions on google and discovered the url http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/ troubleshooting.html#misc_2 which describes the issue. My /etc/hosts file is fully qualified (including its entries) and the hostnames are correctly mapped to the IPs and vice versa. So where could the source of failure be located? Thanks in advance - Marcel Karras ------------------------------------------------------------------------ Contact: toka@freebits.de karma@informatik.tu-chemnitz.de http://www.freebits.de http://www.tu-chemnitz.de Unix, Linux && OpenSource Student of Chemnitz University of Technology ------------------------------------------------------------------------ ...

Server not found in Kerberos database error on ldapsearch
Good afternoon! I have the following problem: I need to connect securely to a AD and search it via ldapsearch. When I try to do so the "Server not found in Kerberos database" error appears. I'm not quite sure, why. I have extracted a keytab of the AD and kinit seems to work fine for the same user as I want to use with ldapsearch. The hosts-files are set up correctly (a ping on DNS-names looks fine). There is nothing that indicates an error in the AD-logs (only successful logons). Could anyone give me a hint, why I get this reaction? -- View this message in context: http://www.nabble.com/Server-not-found-in-Kerberos-database-error-on-ldapsearch-tf4777894.html#a13667697 Sent from the Kerberos - General mailing list archive at Nabble.com. ...

RE: Server not found in Kerberos database error on ldapsearch
> You should not need these. Ok. > Some things to try: > > Wireshare or other trace program to see DNS and Kerberos requests. > This should show name of the "Server not found in Kerberos database" I captured the request dialog with wireshark and got this (the things I think are important): MSG Type: KRB-ERROR Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: EXAMPLE.COM Server Name (Unknown): krbtgt/COM Name-type: Unknown (0) Name: krbtgt Name: COM I guess that indicates an error in my krbtgt setup. But where should I search for it and what does the right setup look like? > On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf? > Is the default realm (in uppercase) the same as the AD domain name? > if not, you may need a krb5.conf, or the -R option on ldapsearch. Yes, I do have a krb5.conf on the unix side. Here it is: [libdefaults] default_realm=EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false # default_tkt_enctypes = des-cbc-md5 des-cbc-crc # default_tgs_enctypes = des-cbc-md5 des-cbc-crc kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # v4_instance_resolve = false # v4_name_convert = { [realms] EXAMPLE.COM = { kdc = 192.168.10.4:88 admin_server = 192.168.10.4:749 } [domain_realm] .example.com = EXAMPLE.COM As you can see, it is a setup for some tests... ----------------- ...

Newbie: "Server not found in Kerberos database"
I am still in 'toy installation mode'. I have set up a KDC on a Linux machine, call it kervara.mygroup.org I have successfully set things up to the point that I can kinit from various clients. I have also set up OpenSSH 3.9p1 to use GSSAPI authentication. When I am logged into kervara, and have a valid TGT from this realm, I can successfully ssh into kervara.mygroup.org without a password; the keytab contains entries for the host/kervara.mygroup.org principal. This is the way things are supposed to work. Life is good. The problem comes when I attempt to do the same thing with the same version of OpenSSH built with the same options on a Solaris machine. In that case, the server logs a "Server not found in Kerberos database" message and gives up. I have looked at all the obvious candidates (wrong DNS entry, disagreement as to host name in /etc/hosts and DNS, etc) and come up empty. Unfortunately, the log messages do not tell me _what_ principal it was trying to find in krb5.keytab (I assume that this is where the mismatch or missing entry is). Is there a way to squeeze more diagnostic information? Or does this sound like a familiar problem? In article <d17eap$ejf$1@panix5.panix.com>, urban@panix.com (Michael Urban) wrote: .... > The problem comes when I attempt to do the same thing with the same > version of OpenSSH built with the same options on a Solaris machine. > In that case, the server logs a "Server not found in Kerberos ...

Server not found in Kerberos database while getting a service url ticket
hello, I have added to my kerberos database the following principal: "http://localhost:8080/axis/services/test" . (It' s in a url format instead of being in the format: service/host@REALM.) So, the thing is that I would like to acquire a service ticket for that principal. To request a service ticket I am using gss api and follow the next steps: class KrbClient{ main(){ ..... //I have acquired the credentials from the ticket cache .... PrincipalName serviceName = new PrincipalName("http://localhost:8080/axis/services/test"); // create the tgs_req to ask for service tickets sun.security.krb5.KrbTgsReq tgs_req = new sun.security.krb5.KrbTgsReq(credentials, serviceName); tgs_req.send(); // get tgs_rep KrbTgsRep tgs_rep = tgs_req.getReply(); } } and it gets the folllowing error: KrbException: Server not found in Kerberos database (7) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235) at KrbClient.requestServiceTicket(KrbClient.java:142) at KrbClient.main(KrbClient.java:39) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134) at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59) at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54) at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50) ... 3 more >From the debugging of gss api: >>>KRBError: sTime is Mon ...

RE: Server not found in Kerberos database error on ldapsearch #3
Ok, I got it now! I set up the AD server to run as ad.example.com and replaced the ip's in my krb5.conf with dns names and now it works! Thank you very much for your help. Still, if you have any howto on this topic (AD and UNIX), I would apreciate if you could send me a link to it. Evgeniy Zhaovsky (aka Jeck) ----------------- Evgeniy Zharovsky Ludwig-Maximilians-Universitaet Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste) Martiusstr. 4 / 207 80539 Muenchen email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de ...

newbie: error getting credentials: Server not found in Kerberos database
Hi! I never found the time to deal intensively with kerberos so please indulge me if this is ought to be a stupid question: kinit works. krsh does not: krsh server error getting credentials: Server not found in Kerberos database trying normal rlogin (/usr/bin/rlogin) So, this is what I did so far: server: /etc/krb5.conf: [libdefaults] default_realm = LOCALDOMAIN [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /etc/hosts: 127.0.0.1 localhost 192.168.0.2 server server.localdomain real hostname is actually *not* "server"! kadmin.local: addprinc foo client: /etc/krb5.conf [libdefaults] ticket_lifetime = 600 default_realm = LOCALDOMAIN default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] LOCALDOMAIN = { kdc = server.localdomain:88 admin_server = server.localdomain:750 } [domain_realm] .localdomain = LOCALDOMAIN localdomain = LOCALDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FI...

RE: Server not found in Kerberos database error on ldapsearch #2
I don't know, if I got you right (I'm not quite good in networks and especially AD; thats a new thing for me, so I'm a noob) So I just ask again: Douglas E. Engert wrote > > I captured the request dialog with wireshark and got this > (the things I think > > are important): > > > > MSG Type: KRB-ERROR > > Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > > Realm: EXAMPLE.COM > > Server Name (Unknown): krbtgt/COM > > Name-type: Unknown (0) > > Name: krbtgt > > Name: COM > > This looks like cross realm, where the client is working its > way up the realm > tree to get the the realm of the server, say AD.DOMAIN.COM. > Client is using TGT > from EXAMPLE.COM to get TGT for realm COM (which does not > exist) If it did, it > would then try and get a TGT from COM for DOMAIN.COM, then > get one from > AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM. > > I thought you where trying to use Active Directory, and the > domain name > was something like ad.domain.com. So why does you unix system have > a realm named EXAMPLE.COM? Have you setup cross realm trust > between them? > > If you are not using cross-real, then you should be using the > AD domain name as > the realm name. It should have a realm named AD.DOMAIN.COM. > Either the user and server must be in the same realm, or you > need cross realm > trust. The domai...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

Subject: Help needed on "Server not found in Kerberos Database" while using "mod_auth_kerb+Apache"
Hi, My Kerberos Setup is as follows- Kerberos v5 Server- example.domain.com (Linux Box) Kerberos Realm- EXAMPLE.COM Registered User on Kerberos realm- test@EXAMPLE.COM Apache Server(with mod_auth_kerb) can be accessed as: http://apache.domain.com (Linux Box) Now I have added a principal name- HTTP/apache.domain.com@EXAMPLE.COM using the addprinc command. I have generated a keytab file for this principal (using ktadd) and then transferred it to the Apache Server(apache.domain.com). I have pointed to this keytab file in ..htaccess file. Now when I try to access APACHE.DOMAIN.COM:80 through a browser(IE) running on my desktop say CLIENT1.DOMAIN.COM, and give the proper user credentials...it doesnt authenticate. When I look this up in the Kerberos log file (krb5kdc.log) it gives the following messages...for the event- Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): AS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: ISSUE: authtime 1089292954, etypes {rep=16 tkt=16 ses=16}, test@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime 1089292954, test@EXAMPLE.COM for krbtgt/REALM1.COM@EXAMPLE.COM, Server not found in Kerberos database Jul 08 18:52:34 example.domain.com krb5kdc[9797](info): TGS_REQ (6 etypes {18 16 23 1 3 2}) 192.168.200.27: UNKNOWN_SERVER: authtime 1089292954, test@EXAMPLE.COM for krbtgt/COM@EXAMPLE.COM, Server not found i...

Client not found in Kerberos database while...
Hi My overall project is to get a Debian Sarge mail/samba-server to connect with a Windows server 2003, but i'm having problem with the kerberos/LPAD connection. I started uot with this guide: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 And i got all the components (Have_KRB5_H and etc.), but no connection.. If i test the conn with: kinit administrator@DOM.NET kinit(v5): Client not found in Kerberos database while getting initial credentials And if i test with: kinit administrator@dom.net kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials So in general I'm having trouble defining what is what and what to install. When typing my "Kerberos server" in the conf i put in the windows-server, but should that be the linuxserver? And have much should i install on the linuxserver to make it into a "kerberos server". I already got these. libpam-krb5 krb5-user krb5-doc krb5-config krb5-kdc libkrb53 ----- krb5.conf ----------- [libdefaults] default_realm = DOM.NET [realms] DOM.NET = { kdc = WINDOWSSERVER.DOM.NET } [domain_realms] .kerberos.server = DOM.NET Hope anyone can guide me through this... /Lars ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Client not found in Kerberos database
I get this from typing 'kadmin' on the commandline of the KDC server itself. I have my own account on there which I can log into from gkadmin. Client not found in Kerberos database while initializing kadmin interface Regards, Jason. -------------------------- Jason Oakley +612 82821434 Open and Intel Systems Systems Administrator http://www.eds.com Add a dab of lavender to milk Leave town with an orange and pretend you are laughing at it ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos What did you try ? I think this is a RTFM question. On Wed, 2004-01-14 at 05:20, Jason Oakley wrote: > I get this from typing 'kadmin' on the commandline of the KDC server itself. > I have my own account on there which I can log into from gkadmin. > > > Client not found in Kerberos database while initializing kadmin interface > > > > Regards, > > Jason. > > -------------------------- > Jason Oakley +612 82821434 > Open and Intel Systems > Systems Administrator > http://www.eds.com > > Add a dab of lavender to milk > Leave town with an orange > and pretend you are laughing at it > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- ...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Important Notice Regarding Kerberos 4 Support in MIT Kerberos
This comes from a message distributed to another list but I thought it might be useful here too. On January 27th of this year, the MIT Kerberos Development team announced plans to phase out support for Kerberos 4 in MIT Kerberos, including v4 support in Kerberos for Macintosh and Kerberos for Windows. We strongly recommend that all sites currently using Kerberos 4 migrate their services and users to Kerberos 5 as soon as possible. The MIT Kerberos team is making substantial changes to the client-side initial ticket acquisition support in the next release of Kerberos. These changes will improve the user experience for users who get tickets for multiple realms that do not share keys. Because we are no longer dedicating resources for new Kerberos 4 features, this new code will only support Kerberos 5. As a result, sites using Kerberos 4 will not be able to take advantage of this new feature. In addition, since this feature will be replacing existing code in Kerberos for Macintosh and Kerberos for Windows, the Kerberos 4 user experience on Windows and Mac OS X will be noticeably worse than in previous releases. The first major changes which impact Kerberos 4 support are currently scheduled for krb5-1.5 (May of 2006), Kerberos for Macintosh 6.0 (which will ship with Mac OS X Leopard), and Kerberos for Windows 3.1 (approximately June 2006). We have no plans to remove Kerberos 4 support from earlier major releases of any of our products (ie: krb5 1.4.x, KfM 5.5.x (Tiger) a...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Client not found in Kerberos database #3
Hi, I have an Intel xseve 10.4.9 server bound to AD and also have OD configured on the same server for Mac management. Other services running are AFP and WINDOWS. I will also be using the same server as a file server for both Mac and Windows. Below are my issues. When the WINDOWS service starts on our Intel Xserve with 10.4.9 installed I receive the below error message. I have tested single sign on "SSO" from Mac and Windows systems and everything seems to work, but am concerned that this error may cause an issue at a later date. I also have an issue with windows users suddenly not being able to connect to a share on the Intel Xserve via SMB which is strange as the same user on a Mac could still connect via AFP or SMB a restart of the WINDOWS service seems to clear this problem, not sure if this is related to the below error but it's a real issue and seems to be very random. When this happen I seem to receive "broken pipe" errors in the "smbd.conf" log. I checked the "secrets.tdb" and found that this did not have the "\00" on the end of the "SECRETS/MACHINE_PASSWORD/", so I ran the script at "afp548" site under forum "10.4.8 Intel - AD, Samba kerberos machine password" which added the "\00". The strange thing is that all seemed to still work even thought the "secrets.tdb" was not correct, perhaps this could be the cause of the SMB dropouts? Below is from the SMBD.LOG...

Client not found in Kerberos database #2
Hi, I have an Intel xseve 10.4.9 server bound to AD and also have OD configured on the same server for Mac management. Other services running are AFP and WINDOWS. I will also be using the same server as a file server for both Mac and Windows. Below are my issues. When the WINDOWS service starts on our Intel Xserve with 10.4.9 installed I receive the below error message. I have tested single sign on "SSO" from Mac and Windows systems and everything seems to work, but am concerned that this error may cause an issue at a later date. I also have an issue with windows users suddenly not being able to connect to a share on the Intel Xserve via SMB which is strange as the same user on a Mac could still connect via AFP or SMB a restart of the WINDOWS service seems to clear this problem, not sure if this is related to the below error but it's a real issue and seems to be very random. When this happen I seem to receive "broken pipe" errors in the "smbd.conf" log. I checked the "secrets.tdb" and found that this did not have the "\00" on the end of the "SECRETS/MACHINE_PASSWORD/", so I ran the script at "afp548" site under forum "10.4.8 Intel - AD, Samba kerberos machine password" which added the "\00". The strange thing is that all seemed to still work even thought the "secrets.tdb" was not correct, perhaps this could be the cause of the SMB dropouts? Below is from the SMBD.LOG...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

kprop and "Client not found in Kerberos database"
Hi there, I have 2 realms, the second for Jabber users. I can kprop the default realm fine, but get # kdb5_util -r JABBER.DOMAIN.NET -d /usr/local/var/krb5kdc/jabber -sf /usr/local/var/krb5kdc/.k5.JABBER.DOMAIN.NET dump DUMP.FILE # kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab -d kerberos-ha.domain.net kprop: Client not found in Kerberos database while getting initial ticket when trying to kprop the jabber realm. A tcpdump shows no traffic to the secondary, so this looks like a local issue on the primary. In the Jabber realm, I have these host principals (in addition to others): host/kerberos-ha.domain.net@JABBER.DOMAIN.NET host/kerberos.domain.net@JABBER.DOMAIN.NET I used ``ktadd'' to extract ``host/kerberos.domain.net@JABBER.DOMAIN.NET'' to /etc/krb5.jabber.keytab, and I get the same error with and without the -s flag. Can anyone shed some light? Using the same steps for the default realm works fine. Below is my /etc/krb5.conf -- Thanks Darek [libdefaults] default_realm = DOMAIN.NET [realms] DOMAIN.NET = { kdc = kerberos.domain.net kdc = kerberos-ha.domain.net } JABBER.DOMAIN.NET = { kdc = kerberos.domain.net kdc = kerberos-ha.domain.net } [domain_realm] .domain.net = DOMAIN.NET jabber.domain.net = JABBER.DOMAIN.NET [password_quality] min_length =...