Error while rrunning GSSAPI samples using SEAM (No principal inkeytab matches desired name )
Douglas E. Engert
deengert at anl.gov
Mon Dec 15 08:38:21 EST 2003
Vikas Gandhi wrote:
>
> I have gone a step further and I am facing this problems:->Cannot contact
> any KDC for requested realm
> I have discuss the procedure below.
>
> I further read the MIT documentation for cross relam auth and found out that
> the principal that was supposed to be generated by kinit was "ktpass -princ
> sample1/blade.qdms.co.in at QDMS.CO.IN -mapuser sample -pass sample -out
The principal sample1/blade.qdms.co.in at QDMS.CO.IN will not
match the GSS name sample at blade.qdms.co.in
When you import a GSS name, it is of the form <service>@<hostname>
this will be used to find a principal of the form <service>/<fqdn>@<realm>
where <fqdn> will be derived from <hostname> and <realm> will be derived
from the <fqdn> by the Kerberos library.
sample != sample1.
You list two machines, beetle, and blade in the krb5.conf. Are there
both a blade.qdms.co.in and a blade.quark.co.in? Are these two separate machines?
Don't try and have a single machine in two realms, or with two DNS names
until you get the basics working.
You may need a [domain_realm] section.
> blade.keytab". I created that and ran "./gss-server -port 4444 -mech
> "1.2.840.113554.1.2.2" -verbose sample at blade.qdms.co.in " on solaris 9. At
> least the server starts running. Next I kinit the user "test at QDMS.CO.IN" for
> obtaining the ticket from ADSI. I checked the event log and found that it
> was correct.
> Checking the klist shows
> klist
> Ticket cache: /tmp/krb5cc_1023
> Default principal: test at QDMS.CO.IN
>
> Valid starting Expires Service
> principal
> Sun Dec 14 13:12:22 2003 Sun Dec 14 23:12:22 2003
> krbtgt/QDMS.CO.IN at QDMS.CO.IN
>
> Next I try to run the GSSAPI samples in solaris 9
> ./gss-client -port 4444 -mech "1.2.840.113554.1.2.2" blade sample hello
> GSS-API error initializing context: Unspecified GSS failure. Minor code may
> provide more information
> GSS-API error initializing context: Cannot contact any KDC for requested
> realm
>
> I am not able to judge the problem at all.
> My krb5.conf speaks (QDMS.CO.IN in Windows 2003 ADSI PDC and QUARK.CO.IN is
> a Solaris 9 system)
> ------------------
> [libdefaults]
> default_realm = QDMS.CO.IN
> # default_realm = QUARK.CO.IN
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
> dns_lookup_kdc=true
> dns_lookup_realm =true
>
> [realms]
> QUARK.CO.IN= {
> kdc = blade.quark.co.in
> admin_server = blade.quark.co.in
> }
> QDMS.CO.IN= {
> kdc = beetle.qdms.co.in:88
> admin_server = beetle.qdms.co.in
> default_realm = QDMS.CO.IN
> }
> [capaths]
> QUARK.CO.IN = {
> QDMS.CO.IN = .
> }
> QDMS.CO.IN = {
> QUARK.CO.IN = .
> }
> -----------------------------------------
>
> FYI: The samples work well for SEAM.
>
> --Vikas
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Friday, December 12, 2003 6:38 PM
> To: Vikas Gandhi
> Cc: kerberos at mit.edu
> Subject: Re: Error while rrunning GSSAPI samples using SEAM (No
> principal inkeytab matches desired name )
>
> Try using in Step 5:
> ./gss-server -port 4444 -verbose windms at beetle.qdms.co.in
>
> The GSS-API uses service at hostname which when use with Kerberos
> Kerbeors GSSAPI is mapped to a principal of service/hostname
>
> Vikas Gandhi wrote:
> >
> > Hi All
> > I am using SEAM and ADSI 2000. I have done cross relam and cross
> > domain setup. The setup is fine. I am facing difficulties in running
> > gssapi samples using ADSI (though the reverse I have done it i.e.
> > using sspi samples using SEAM).
> > The gssapi samples work fine for SEAM. But I do not know where I am
> > mistaken when I try for ADSI-2000.
> > WIN-OS: 2003 server
> > WIN-DOMAIN: QDMS.CO.IN
> > WIN-relam: QDMS.CO.IN
> > win-host-name: beetle.qdms.co.in
> >
> > SUN-OS: solaris 9
> > SEAM-DOMAIN: QUARK.CO.IN
> > win-host-name: blade.quark.co.in
> > seam-relam: QUARK.CO.IN
> > seam version: 1.01
> > As I have created a trust between the two domains and added kdc to the
> > windows and created mappings, I can login to the windows easily using
> > SEAM KDC.
> >
> > Step 1: I created a user windms in ADSI and gave windms and password
> > windms.
> > Step 2: ktpass -princ windms/beetle.qdms.co.in -mapuser windms -pass
> > windms -out blade.keytab
> > Step 3: I ftp that file in sun server and used ktutil to input in
> > /etc/krb5/krb5.keytab
> > Step 4: kinit -k -t /etc/krb5/krb5.keytab
> > windms/beetle.qdms.co.in at QDMS.CO.IN
> > works fins and I get the ticket.
> > Step 5: ./gss-server -port 4444 -verbose windms/beetle.qdms.co.in
> > GSS-API error acquiring credentials: Unspecified GSS failure. Minor
> > code may provide more information
> > GSS-API error acquiring credentials: No principal in keytab matches
> > desired name
> >
> > I do not know where the error lies.
> > My /etc/hosts file says the following
> > X.X.X.X blade.qdms.co.in blade.quark.co.in blade
> > X.X.X.X beetle beetle.qdms.co.in beetle.quark.co.in
> >
> > My /etc/resolv.conf says
> > domain quark.co.in
> > nameserver X.X.X.X
> > nameserver X.X.X.X
> > search quark.co.in qdms.co.in
> >
> > Regards
> > Vikas
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list