Server not found in Kerberos database error on ldapsearch

Douglas E. Engert deengert at anl.gov
Fri Nov 9 23:00:29 EST 2007 


jeck wrote:
> Thank you for the fast reply! 
> 
>> It should work with something like this with OpenLDAP SASL and GSSAPI:
>>
>> ldapsearch -b "dc=ad,dc=domain,dc=com" -h dc1.ad.domain.com -Y GSSAPI ...
>> where the domain name is ad.domain.com and one of the AD controllers
>> is dc1.ad.domain.com
>

You can also try the -R REALM and -U=user options.

> That is exactly the way I tried it. GSSAPI exits with unkown GSS error, the
> minor code is "Server not found in Kerberos database". And that is my
> problem...
> 
>> You should *not* need a keytab at all.
> 
> I didn't know that... I tried with keytab and without. The result stays the
> same.
> 
>>> and kinit seems to work fine for the same user as I want to use
>>> with ldapsearch. 
>> Usually a user with some AD administrative privilages.
> 
> Yes. When I use simple bind, the querry works for this user, so I think the
> priviledges are ok.
> 
>>> The hosts-files
>> What host files?
> 
> The /etc/hosts files on both machines (well on Windows its
> {WIN}\system32\etc\hosts). I mentioned this, because lots of solutions I
> found, said, that my problem had something to do with DNS problems and
> recomended to set up the /etc/hosts files manually. Unfortunatly it didn't
> help in my case. I mentioned it, because I thought, that it would eliminate
> the DNS-problem-option...

You should not need these.


Some things to try:

  Wireshare or other trace program to see DNS and Kerberos requests.
This should show name of the  "Server not found in Kerberos database"

On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf?
Is the default realm (in uppercase) the same as the AD domain name?
if not, you may need a krb5.conf, or the -R option on ldapsearch.

If AD is setup correctly, it should have DNS SRV records for Kerberos
and LDAP.

  nslookup
  set type=ANY
  _kerberos._tcp.ad.domain.com
  _ldap._tcp.ad.domain.com

This should show the FQDN of the servers, both Kerberos and LDAP.


> 
> Maybe my point of view is not quite right to understand the problem... What
> information could be of interest to understand and solve it?

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list