Server not found in Kerberos database error on ldapsearch

Zharovsky Evgeniy Evgeniy.Zharovsky at Verwaltung.Uni-Muenchen.DE
Fri Nov 16 09:05:47 EST 2007 

I don't know, if I got you right (I'm not quite good in networks and
especially AD; thats a new thing for me, so I'm a noob)

So I just ask again:
Douglas E. Engert wrote
> > I captured the request dialog with wireshark and got this 
> (the things I think
> > are important):
> > 
> > MSG Type: KRB-ERROR
> > Error_code:  KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> > Realm: EXAMPLE.COM
> > Server Name (Unknown): krbtgt/COM
> > 	Name-type: Unknown (0)
> > 	Name: krbtgt
> > 	Name: COM
> 
> This looks like cross realm, where the client is working its 
> way up the realm
> tree to get the the realm of the server, say AD.DOMAIN.COM. 
> Client is using TGT
> from EXAMPLE.COM to get TGT for realm COM (which does not 
> exist) If it did, it
> would then try and get a TGT from COM for DOMAIN.COM, then 
> get one from
> AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM.
> 
> I thought you where trying to use Active Directory, and the 
> domain name
> was something like ad.domain.com. So why does you unix system have
> a realm named EXAMPLE.COM? Have you setup cross realm trust 
> between them?
> 
> If you are not using cross-real, then you should be using the 
> AD domain name as
> the realm name.  It should have a realm named AD.DOMAIN.COM.
> Either the user and server must be in the same realm, or you 
> need cross realm
> trust.

The domain/realm in AD is called example.com . My Unix-Client is
gate.exaple.com
On running 'kinit proxyuser'
(the proxyuser is mapped to gate.example.com as Microsoft docu suggested)
I get a ticket that looks like this

[me at gate ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: proxyuser at EXAMPLE.COM

Valid starting     Expires            Service principal
11/16/07 13:11:24  11/16/07 23:08:03  krbtgt/EXAMPLE.COM at EXAMPLE.COM
        renew until 11/17/07 13:11:24


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

So I assumed the TGT-Server is krbtgt/EXAMPLE.COM at EXAMPLE.COM and works fine.
I don't get, why ldapsearch is looking for krbtgt/COM and not
krbtgt/EXAMPLE.COM at EXAMPLE.COM.

Should I rename the AD domain to ad.example.com or something like that? Is
that what you ment?

> I am assuming that you do not wish to reveal the actual names 
> of the host,
> realms and AD domain you are using. This makes it very 
> difficult to see what
> the real problem is.

So what kind of setup do you think is good for such tests? The setup I got
here is described in Microsoft's Windows Security and Directory Services for
UNIX (Vol. 2) guide. It's the only documentation I got on this problem. Do
you have some links or other information I could have a look at? The problem
I need to solve is: I should setup a VPN-gate that is able to authenticate
and authorize a user by looking him up in AD. Authentication should be based
on Kerberos, authorization on LDAP-groups. It worked fine with PAM+Kerberos
and simple bind for LDAP. Now there came the requirement to have a secure
LDAP connection (over Kerberos). And that is what I'm dealing with now. The
test setup works as long as I do not try to authenticate my LDAP client over
Kerberos. And I don't get why this is something different, than authenticate
a user on the gate using PAM and Kerberos...

> > Yes, I do have a krb5.conf on the unix side. Here it is:
> > 
> > [libdefaults]
> >         default_realm=EXAMPLE.COM
> >         dns_lookup_realm = false
> >         dns_lookup_kdc = false
> > #       default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > #       default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >         kdc_timesync = 1
> >         ccache_type = 4
> >         forwardable = true
> >         proxiable = true
> > #       v4_instance_resolve = false
> > #       v4_name_convert = {
> > [realms]
> > EXAMPLE.COM = {
> >         kdc = 192.168.10.4:88
> >         admin_server = 192.168.10.4:749
> > }
> > [domain_realm]
> >         .example.com = EXAMPLE.COM
> 
> By default Kerberos will take a host name, and strip off the
> short name, and use the domain name as a realm name for the host.
> So add the other domains and or hosts here too.
> 
What other domains do you mean? I have a UNIX client, which is
gate.example.com and an AD Server that is exapmle.com Maybe this is the
problem, because AD should be something like ad.example.com? Is that what you
ment above?


-----------------

Evgeniy Zharovsky

Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste) 
Martiusstr. 4 / 207
80539 Muenchen

email  mailto:evgeniy.zharovsky at verwaltung.uni-muenchen.de

More information about the Kerberos mailing list