Server not found in Kerberos database while getting a service url ticket
Douglas E. Engert
deengert at anl.gov
Tue May 23 09:54:49 EDT 2006
vpouli wrote:
> hello,
> I have added to my kerberos database the following principal:
> "http://localhost:8080/axis/services/test" .
> (It' s in a url format instead of being in the format:
> service/host at REALM.)
Even if you could add this, the use of localhost is relative to the
local host and is not unique. Principals normally have service/FQDN at realm.
What you should be using isw HTTP/your.full.host.name
> So, the thing is that I would like to acquire a service ticket for that
> principal.
> To request a service ticket I am using gss api and follow the next
> steps:
>
> class KrbClient{
> main(){
> ....
> //I have acquired the credentials from the ticket cache
> ...
> PrincipalName serviceName = new
> PrincipalName("http://localhost:8080/axis/services/test");
>
> // create the tgs_req to ask for service tickets
> sun.security.krb5.KrbTgsReq tgs_req = new
> sun.security.krb5.KrbTgsReq(credentials, serviceName);
>
> tgs_req.send();
>
> // get tgs_rep
> KrbTgsRep tgs_rep = tgs_req.getReply();
> }
> }
>
> and it gets the folllowing error:
>
> KrbException: Server not found in Kerberos database (7)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235)
> at KrbClient.requestServiceTicket(KrbClient.java:142)
> at KrbClient.main(KrbClient.java:39)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134)
> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59)
> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50)
> ... 3 more
>
>>From the debugging of gss api:
>
>>>>KRBError:
>
> sTime is Mon May 22 19:07:26 EEST 2006 1148314046000
> suSec is 722233
> error code is 7
> error Message is Server not found in Kerberos database
> crealm is GRID.ORG
> cname is vpouli
> realm is GRID.ORG
> sname is http://localhost:8080/axis/services/test
>
>>From the kdc log file:
> 2006-05-22T19:40:59 TGS-REQ vpouli at GRID.ORG from IPv4:147.102.183.137
> for http:/\/localhost:8080/axis/services/test at GRID.ORG
> 2006-05-22T19:40:59 Server not found in database:
> http:/\/localhost:8080/axis/services/test at GRID.ORG: No such entry in
> the database
> 2006-05-22T19:40:59 sending 155 bytes to IPv4:147.102.183.137
>
> What I see, is that when I request a ticket for a service principal
> which contains "//" (like in http://localhost....) it puts an escape
> character '\' between '//' and tries to find "http:/\/localhost..."
> instead of "http://localhost....".
>
> Is there something I can do about it?
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list