Error while rrunning GSSAPI samples using SEAM (No principal inkeytab matches desired name )

Vikas Gandhi VGandhi at quark.co.in
Sun Dec 14 02:45:00 EST 2003


I have gone a step further and I am facing this problems:->Cannot contact
any KDC for requested realm
I have discuss the procedure below.

I further read the MIT documentation for cross relam auth and found out that
the principal that was supposed to be generated by kinit was "ktpass -princ
sample1/blade.qdms.co.in at QDMS.CO.IN -mapuser sample -pass sample -out
blade.keytab". I created that and ran "./gss-server -port 4444 -mech
"1.2.840.113554.1.2.2" -verbose sample at blade.qdms.co.in " on solaris 9. At
least the server starts running. Next I kinit the user "test at QDMS.CO.IN" for
obtaining the ticket from ADSI. I checked the event log and found that it
was correct.
Checking the klist shows
klist 
Ticket cache: /tmp/krb5cc_1023
Default principal: test at QDMS.CO.IN

Valid starting                       Expires                       Service
principal
Sun Dec 14 13:12:22 2003  Sun Dec 14 23:12:22 2003
krbtgt/QDMS.CO.IN at QDMS.CO.IN

Next I try to run the GSSAPI samples in solaris 9
 ./gss-client -port 4444 -mech "1.2.840.113554.1.2.2" blade sample hello
GSS-API error initializing context: Unspecified GSS failure.  Minor code may
provide more information
GSS-API error initializing context: Cannot contact any KDC for requested
realm

I am not able to judge the problem at all.
My krb5.conf speaks (QDMS.CO.IN in Windows 2003 ADSI PDC and QUARK.CO.IN is
a Solaris 9 system)
------------------
[libdefaults]
        default_realm = QDMS.CO.IN
#        default_realm = QUARK.CO.IN
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        dns_lookup_kdc=true
        dns_lookup_realm =true

[realms]
                QUARK.CO.IN= {
                kdc = blade.quark.co.in
                admin_server = blade.quark.co.in
        }
          QDMS.CO.IN= {
                kdc = beetle.qdms.co.in:88
                admin_server = beetle.qdms.co.in
                default_realm = QDMS.CO.IN
        }
[capaths]
        QUARK.CO.IN = {
                QDMS.CO.IN = .
        }
        QDMS.CO.IN = {
                QUARK.CO.IN = .
        }
-----------------------------------------

FYI: The samples work well for SEAM.

--Vikas


-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov]
Sent: Friday, December 12, 2003 6:38 PM
To: Vikas Gandhi
Cc: kerberos at mit.edu
Subject: Re: Error while rrunning GSSAPI samples using SEAM (No
principal inkeytab matches desired name )


Try using in Step 5: 
./gss-server -port 4444 -verbose windms at beetle.qdms.co.in

The GSS-API uses service at hostname which when use with Kerberos
Kerbeors GSSAPI is mapped to a principal of service/hostname 

Vikas Gandhi wrote:
> 
> Hi All
>  I am using SEAM and ADSI 2000. I have done cross relam and cross
> domain setup. The setup is fine. I am facing difficulties in running
> gssapi samples using ADSI (though the reverse I have done it i.e.
> using sspi samples using SEAM).
> The gssapi samples work fine for SEAM. But I do not know where I am
> mistaken when I try for ADSI-2000.
> WIN-OS: 2003 server
> WIN-DOMAIN: QDMS.CO.IN
> WIN-relam: QDMS.CO.IN
> win-host-name: beetle.qdms.co.in
> 
> SUN-OS: solaris 9
> SEAM-DOMAIN: QUARK.CO.IN
> win-host-name: blade.quark.co.in
> seam-relam: QUARK.CO.IN
> seam version: 1.01
> As I have created a trust between the two domains and added kdc to the
> windows and created mappings, I can login to the windows easily using
> SEAM KDC.
> 
> Step 1:  I created a user windms in ADSI and gave windms and password
> windms.
> Step 2: ktpass -princ windms/beetle.qdms.co.in -mapuser windms -pass
> windms -out blade.keytab
> Step 3: I ftp that file in sun server and used ktutil to input in
> /etc/krb5/krb5.keytab
> Step 4: kinit -k -t /etc/krb5/krb5.keytab
> windms/beetle.qdms.co.in at QDMS.CO.IN
> works fins and I get the ticket.
> Step 5: ./gss-server -port 4444 -verbose windms/beetle.qdms.co.in
> GSS-API error acquiring credentials: Unspecified GSS failure.  Minor
> code may provide more information
> GSS-API error acquiring credentials: No principal in keytab matches
> desired name
> 
> I do not know where the error lies.
> My /etc/hosts file says the following
> X.X.X.X    blade.qdms.co.in blade.quark.co.in blade
> X.X.X.X    beetle  beetle.qdms.co.in beetle.quark.co.in
> 
> My /etc/resolv.conf says
> domain  quark.co.in
> nameserver      X.X.X.X
> nameserver      X.X.X.X
> search quark.co.in qdms.co.in
> 
> Regards
> Vikas
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list