gss-server error

Mon Aug 21 22:27:57 EDT 2006

In the manual by Jim Rome, "How to Kerberize your site "(http://www.ornl.gov/~jar/HowToKerb.html#Configure), all examples are in lowercare.
So I think there might be a DNS issue, or I used the parameters of the gss-server improperly.

The server's command line usage is

 gss-server [-port port] [-verbose] [-once] [-inetd] [-export]
  [-logfile file] service_name

where service_name is a GSS-API service name of the form"service at host" (or just "service", in which case the local host name is used). 

Now I have 2 machines, the KDC server is called A, and the application server is called B. The gss-server in on the machine B.The keytab file has been generated on the machine B:
[root at gcnode029 gss-sample]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   6 test/admin at test.com

When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin at test.com", output:
[root at gcnode029 gss-sample]# ./gss-server -port 8888 -once test/admin at test.com
GSS-API error acquiring credentials: An invalid name was supplied
GSS-API error acquiring credentials: Hostname cannot be canonicalized

When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin", output:
[root at gcnode029 gss-sample]# ./gss-server -port 8888 -once test/admin
GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
GSS-API error acquiring credentials: No principal in keytab matches desired name

When I try to run gss-server using the command:"./gss-server -port 8888 -once test", output:
[root at gcnode029 gss-sample]# ./gss-server -port 8888 -once test
GSS-API error acquiring credentials: Unspecified GSS failure.  Minor code may provide more information
GSS-API error acquiring credentials: No principal in keytab matches desired name

In fact I don't know exactly what the service-name should be like. Is the errors above coursed by DNS problem?or by keytab file?

----- Original Message ----- 
From: "Michael B Allen" <mba2000 at ioplex.com>
To: "lizhong" <lizhong at ncic.ac.cn>
Cc: <kerberos at mit.edu>
Sent: Monday, August 21, 2006 10:29 PM
Subject: Re: gss-server error

>A Kerberos realm is always in uppercase [1]. If you did *everything*
> with a lowercase realm name I suspect things might work but perhaps not.
> 
> Or, based on the second error, perhaps there is a DNS issue?
> 
> Mike
> 
> [1] The realm is effectively the DNS domain in uppercase and therefore
> it is not uncommon to see lowercase names (e.g. DNS oriented software).
> 
> On Mon, 21 Aug 2006 17:00:03 +0800
> "lizhong" <lizhong at ncic.ac.cn> wrote:
> 
>> I'm trying to test with gss-client and gss-server but am unsuccessful in 
>> getting it to work.
>> 
>> I have setup a MIT Realm called test.com and added a client named test/admin at test.com.
>> I am able to kinit and get a ticket from the KDC. 
>> 
>> [root at gcnode029 gss-sample]# kinit
>> Password for test/admin at test.com: 
>> kinit(v5): Password incorrect while getting initial credentials
>> [root at gcnode029 gss-sample]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: test/admin at test.com
>> 
>> Valid starting     Expires            Service principal
>> 08/21/06 15:45:15  08/22/06 15:45:15  krbtgt/test.com at test.com
>> 
>> 
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at gcnode029 gss-sample]# 
>> 
>> But if I run "gss-server -port 8888 -verbose -once test/admin at test.com", I met the following error:
>> 
>> [root at gcnode029 gss-sample]# ./gss-server -port 8888 -verbose -once test/admin at test.com
>> GSS-API error acquiring credentials: An invalid name was supplied
>> GSS-API error acquiring credentials: Hostname cannot be canonicalized
>> 
>> I guess I used the service name in an improper way. So what service name should I use? Thank you for any help!
>> 
>> 
>> 
> 
> 
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> 
>