Prob: failed to verify krb5 credentials: Server not found in=20

Paul Moore paul.moore at centrify.com
Tue Feb 3 17:46:44 EST 2009


there needs to be a principal (user or computer) in AD with a Service
Principal Name equal to http/wiki.test.len

this gets created for a windows machine when the machine joins

you seem to be doing this by hand. So you must use setspn (addspn? I
forget) to add an SPN to the user or machine account for which you have
created the keytab. Or adsiedit will do it

shameless commercial plug: you could always use a commercial solution
such as Centrify DirectControl , it will do the right thing
automatically for you



-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 3:42 PM
To: Paul Moore; deengert at anl.gov
Cc: kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20

First of all, thanks for your answers and interest.

I already tried it without the port, because I realized, short after I
sent my first mail, that the port is really not part of the name.

So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
Kinit still works, but the "Server not in kerberos database" problem
still remains.

@Paul Moore: What do you mean, with "an AD account with that SPN"? Could
you be just a little more specific? Its late over here in germany ;)

I had created an extra user and password at the AD. This login is saved
inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN

BTW: Is there a way, to find out, what adress the server is looking for?


Greets,


----- Original Message ----- 
From: "Paul Moore" <paul.moore at centrify.com>
To: "Douglas E. Engert" <deengert at anl.gov>
Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
Sent: Tuesday, February 03, 2009 11:14 PM
Subject: RE: Prob: failed to verify krb5 credentials: Server not found
in Kerb


for sure the port number should not be in the SPN. I didnt even notice
that. I was wondering if there is any principal at all

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, February 03, 2009 2:13 PM
To: Paul Moore
Cc: slaindevil at kabelmail.de; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in Kerb



Paul Moore wrote:
> is there an AD account with that SPN?
> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN


> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of slaindevil at kabelmail.de
> Sent: Tuesday, February 03, 2009 6:28 AM
> To: kerberos at mit.edu
> Subject: Prob: failed to verify krb5 credentials: Server not found in
> Kerb
> 
> Hey guys,
> 
> I am short before dispairing :(
> 
> Maybe someone has time and likes to help me? :)
> 
> I am trying to set up kerberos to authenticate a
> TWiki running on Unix against an Windows Server 2003 Active
Directory...
> 
> I configured the krb5.conf like this:
> 
> [logging]
>  ...
> 
> [libdefaults]
>  default_realm = SRV.TEST.LAN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24000
>  forwardable = yes
> 
> [realms]
>  SRV.TEST.LAN = {
>   kdc = location.srv.test.lan:88
>   admin_server =  location.srv.test.lan:749
>   default_domain = SRV.TEST.LAN
>  }
> 
> [domain_realm]
>  .test.lan = SRV.TEST.LAN
>  test.lan = SRV.TEST.LAN
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 24000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> When I use "kinit" everything works fine. With every valid login I get
a
> ticket...
> 
> 
> Then I created the keytab file, set with a valid user and password for
> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

Leave  off the :8080

> 
> http://wiki.test.lan:8080/bin is the url I type into the browser...
> 
> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
> everything works fine... I get a ticket...
> 
> Now I wanna setup the twiki to use kerberos to authenticate with...
> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
is
> like following:
> Order Deny,Allow
> Allow from all
>    
> AuthType Kerberos
> KrbAuthRealms SRV.TEST.LAN
> KrbServiceName HTTP
> Krb5Keytab /etc/http.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> Require valid-user
> 
> When I browse to "http://wiki.srv.lan:8080/bin" the login box
prompts...
> I enter a valid login, but the box stays...
> 
> In the log it says:
> failed to verify krb5 credentials: Server not found in Kerberos
database
> 
> What is wrong? Can someone help me?! :(
> 
> Greets,
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444






More information about the Kerberos mailing list