Server not found in Kerberos database while getting a service url ticket

Douglas E. Engert deengert at anl.gov
Tue May 23 09:54:49 EDT 2006



vpouli wrote:

> hello,
> I have added to my kerberos database the following principal:
> "http://localhost:8080/axis/services/test" .
> (It' s in a url format instead of  being in the format:
> service/host at REALM.)

Even if you could add this, the use of localhost is relative to the
local host and is not unique. Principals normally have service/FQDN at realm.

What you should be using isw HTTP/your.full.host.name

> So, the thing is that I would like to acquire a service ticket for that
> principal.
> To request a service ticket I am using gss api and follow the next
> steps:
> 
> class KrbClient{
> main(){
> ....
> //I have acquired the credentials from the ticket cache
> ...
> PrincipalName serviceName = new
> PrincipalName("http://localhost:8080/axis/services/test");
> 
> // create the tgs_req to ask for service tickets
> sun.security.krb5.KrbTgsReq tgs_req = new
> sun.security.krb5.KrbTgsReq(credentials, serviceName);
> 
> tgs_req.send();
> 
> // get tgs_rep
> KrbTgsRep tgs_rep = tgs_req.getReply();
> }
> }
> 
> and it gets the folllowing error:
> 
> KrbException: Server not found in Kerberos database (7)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:67)
> 	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:235)
> 	at KrbClient.requestServiceTicket(KrbClient.java:142)
> 	at KrbClient.main(KrbClient.java:39)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:134)
> 	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:59)
> 	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:54)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:50)
> 	... 3 more
> 
>>From the debugging of gss api:
> 
>>>>KRBError:
> 
> 	 sTime is Mon May 22 19:07:26 EEST 2006 1148314046000
> 	 suSec is 722233
> 	 error code is 7
> 	 error Message is Server not found in Kerberos database
> 	 crealm is GRID.ORG
> 	 cname is vpouli
> 	 realm is GRID.ORG
> 	 sname is http://localhost:8080/axis/services/test
> 
>>From the kdc log file:
> 2006-05-22T19:40:59 TGS-REQ vpouli at GRID.ORG from IPv4:147.102.183.137
> for http:/\/localhost:8080/axis/services/test at GRID.ORG
> 2006-05-22T19:40:59 Server not found in database:
> http:/\/localhost:8080/axis/services/test at GRID.ORG: No such entry in
> the database
> 2006-05-22T19:40:59 sending 155 bytes to IPv4:147.102.183.137
> 
> What I see, is that when I request a ticket for a service principal
> which contains "//" (like in http://localhost....) it puts an escape
> character '\' between '//'  and tries to find "http:/\/localhost..."
> instead of "http://localhost....".
> 
> Is there something I can do about it?
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list