Error while rrunning GSSAPI samples using SEAM (No principal inkeytab matches desired name )

Vikas Gandhi VGandhi at quark.co.in
Mon Dec 15 23:05:50 EST 2003 

Hi
  Thanks for spending time and effort. My problem came out to be a very
stupid one. 
You were right when u said about [domain_realm] section. 

I just added .quark.co.in = QDMS.CO.IN in krb5.conf .

Next I imported keytab file into /etc/krb5/krb5.keytab using version 3. 
ktpass -kvno 3 -princ unix2/blade.quark.co.in at QDMS.CO.IN -mapuser unix2
-pass unix2 -out blade.keytab

The samples run perfectly now.
Thanks to everyone who gave me small assistance.

I nopw have few doubts.

1. Please let me know whether to generate a keytab file of version3 is the
right way to go about. or It is a hack ?????
2. In [domain_realm]  
 .quark.co.in = QDMS.CO.IN : means that domainname "quark.co.in" should have
a relam of QDMS.CO.IN
  quark.co.in = QDMS.CO.IN : means what ????

Any help shall be appreciated.

Regards
Vikas



-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov]
Sent: Monday, December 15, 2003 7:08 PM
To: Vikas Gandhi
Cc: kerberos at mit.edu
Subject: Re: Error while rrunning GSSAPI samples using SEAM (No
principal inkeytab matches desired name )




Vikas Gandhi wrote:
> 
> I have gone a step further and I am facing this problems:->Cannot contact
> any KDC for requested realm
> I have discuss the procedure below.
> 
> I further read the MIT documentation for cross relam auth and found out
that
> the principal that was supposed to be generated by kinit was "ktpass
-princ
> sample1/blade.qdms.co.in at QDMS.CO.IN -mapuser sample -pass sample -out

The principal sample1/blade.qdms.co.in at QDMS.CO.IN will not
match the GSS name sample at blade.qdms.co.in 

When you import a GSS name, it is of the form <service>@<hostname>
this will be used to find a principal of the form <service>/<fqdn>@<realm>
where <fqdn> will be derived from <hostname> and <realm> will be derived 
from the <fqdn> by the Kerberos library.

  sample != sample1. 

You list two machines, beetle, and blade in the krb5.conf. Are there 
both a blade.qdms.co.in and a blade.quark.co.in? Are these two separate
machines?

Don't try and have a single machine in two realms, or with two DNS names
until you get the basics working. 

You may need a [domain_realm] section. 
 

> blade.keytab". I created that and ran "./gss-server -port 4444 -mech
> "1.2.840.113554.1.2.2" -verbose sample at blade.qdms.co.in " on solaris 9. At
> least the server starts running. Next I kinit the user "test at QDMS.CO.IN"
for
> obtaining the ticket from ADSI. I checked the event log and found that it
> was correct.
> Checking the klist shows
> klist
> Ticket cache: /tmp/krb5cc_1023
> Default principal: test at QDMS.CO.IN
> 
> Valid starting                       Expires                       Service
> principal
> Sun Dec 14 13:12:22 2003  Sun Dec 14 23:12:22 2003
> krbtgt/QDMS.CO.IN at QDMS.CO.IN
> 
> Next I try to run the GSSAPI samples in solaris 9
>  ./gss-client -port 4444 -mech "1.2.840.113554.1.2.2" blade sample hello
> GSS-API error initializing context: Unspecified GSS failure.  Minor code
may
> provide more information
> GSS-API error initializing context: Cannot contact any KDC for requested
> realm
> 
> I am not able to judge the problem at all.
> My krb5.conf speaks (QDMS.CO.IN in Windows 2003 ADSI PDC and QUARK.CO.IN
is
> a Solaris 9 system)
> ------------------
> [libdefaults]
>         default_realm = QDMS.CO.IN
> #        default_realm = QUARK.CO.IN
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
>         dns_lookup_kdc=true
>         dns_lookup_realm =true
> 
> [realms]
>                 QUARK.CO.IN= {
>                 kdc = blade.quark.co.in
>                 admin_server = blade.quark.co.in
>         }
>           QDMS.CO.IN= {
>                 kdc = beetle.qdms.co.in:88
>                 admin_server = beetle.qdms.co.in
>                 default_realm = QDMS.CO.IN
>         }
> [capaths]
>         QUARK.CO.IN = {
>                 QDMS.CO.IN = .
>         }
>         QDMS.CO.IN = {
>                 QUARK.CO.IN = .
>         }
> -----------------------------------------
> 
> FYI: The samples work well for SEAM.
> 
> --Vikas
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Friday, December 12, 2003 6:38 PM
> To: Vikas Gandhi
> Cc: kerberos at mit.edu
> Subject: Re: Error while rrunning GSSAPI samples using SEAM (No
> principal inkeytab matches desired name )
> 
> Try using in Step 5:
> ./gss-server -port 4444 -verbose windms at beetle.qdms.co.in
> 
> The GSS-API uses service at hostname which when use with Kerberos
> Kerbeors GSSAPI is mapped to a principal of service/hostname
> 
> Vikas Gandhi wrote:
> >
> > Hi All
> >  I am using SEAM and ADSI 2000. I have done cross relam and cross
> > domain setup. The setup is fine. I am facing difficulties in running
> > gssapi samples using ADSI (though the reverse I have done it i.e.
> > using sspi samples using SEAM).
> > The gssapi samples work fine for SEAM. But I do not know where I am
> > mistaken when I try for ADSI-2000.
> > WIN-OS: 2003 server
> > WIN-DOMAIN: QDMS.CO.IN
> > WIN-relam: QDMS.CO.IN
> > win-host-name: beetle.qdms.co.in
> >
> > SUN-OS: solaris 9
> > SEAM-DOMAIN: QUARK.CO.IN
> > win-host-name: blade.quark.co.in
> > seam-relam: QUARK.CO.IN
> > seam version: 1.01
> > As I have created a trust between the two domains and added kdc to the
> > windows and created mappings, I can login to the windows easily using
> > SEAM KDC.
> >
> > Step 1:  I created a user windms in ADSI and gave windms and password
> > windms.
> > Step 2: ktpass -princ windms/beetle.qdms.co.in -mapuser windms -pass
> > windms -out blade.keytab
> > Step 3: I ftp that file in sun server and used ktutil to input in
> > /etc/krb5/krb5.keytab
> > Step 4: kinit -k -t /etc/krb5/krb5.keytab
> > windms/beetle.qdms.co.in at QDMS.CO.IN
> > works fins and I get the ticket.
> > Step 5: ./gss-server -port 4444 -verbose windms/beetle.qdms.co.in
> > GSS-API error acquiring credentials: Unspecified GSS failure.  Minor
> > code may provide more information
> > GSS-API error acquiring credentials: No principal in keytab matches
> > desired name
> >
> > I do not know where the error lies.
> > My /etc/hosts file says the following
> > X.X.X.X    blade.qdms.co.in blade.quark.co.in blade
> > X.X.X.X    beetle  beetle.qdms.co.in beetle.quark.co.in
> >
> > My /etc/resolv.conf says
> > domain  quark.co.in
> > nameserver      X.X.X.X
> > nameserver      X.X.X.X
> > search quark.co.in qdms.co.in
> >
> > Regards
> > Vikas
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> --
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list