Prob: failed to verify krb5 credentials: Server not found in=20

Douglas E. Engert deengert at anl.gov
Tue Feb 3 18:01:02 EST 2009



slaindevil at kabelmail.de wrote:
> First of all, thanks for your answers and interest.
> 
> I already tried it without the port, because I realized, short after I sent my first mail, that the port is really not part of the name.
> 
> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
> Kinit still works, but the "Server not in kerberos database" problem still remains.
> 
> @Paul Moore: What do you mean, with "an AD account with that SPN"? Could you be just a little more specific? Its late over here in germany ;)
> 
> I had created an extra user and password at the AD. This login is saved inside of the keytab together with the SPN: HTTP/wiki.test.lan at SRV.TEST.LAN
> 

How did you create this account, and why do you think the key and kvno in the keytab matche what is in AD?
Good place to start:
    http://technet.microsoft.com/en-us/library/bb742433.aspx
then look at latest ktpass command syntax.

> BTW: Is there a way, to find out, what adress the server is looking for? 

As Paul said:  Wireshark. It can parse Kerberos packets.

> 
> Greets,
> 
> 
> ----- Original Message ----- 
> From: "Paul Moore" <paul.moore at centrify.com>
> To: "Douglas E. Engert" <deengert at anl.gov>
> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
> Sent: Tuesday, February 03, 2009 11:14 PM
> Subject: RE: Prob: failed to verify krb5 credentials: Server not found in Kerb
> 
> 
> for sure the port number should not be in the SPN. I didnt even notice
> that. I was wondering if there is any principal at all
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Tuesday, February 03, 2009 2:13 PM
> To: Paul Moore
> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
> Subject: Re: Prob: failed to verify krb5 credentials: Server not found
> in Kerb
> 
> 
> 
> Paul Moore wrote:
>> is there an AD account with that SPN?
>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
> 
> The port number :8080 is usually not part of the principal name.
> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
> 
> 
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>> Behalf Of slaindevil at kabelmail.de
>> Sent: Tuesday, February 03, 2009 6:28 AM
>> To: kerberos at mit.edu
>> Subject: Prob: failed to verify krb5 credentials: Server not found in
>> Kerb
>>
>> Hey guys,
>>
>> I am short before dispairing :(
>>
>> Maybe someone has time and likes to help me? :)
>>
>> I am trying to set up kerberos to authenticate a
>> TWiki running on Unix against an Windows Server 2003 Active
> Directory...
>> I configured the krb5.conf like this:
>>
>> [logging]
>>  ...
>>
>> [libdefaults]
>>  default_realm = SRV.TEST.LAN
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>  ticket_lifetime = 24000
>>  forwardable = yes
>>
>> [realms]
>>  SRV.TEST.LAN = {
>>   kdc = location.srv.test.lan:88
>>   admin_server =  location.srv.test.lan:749
>>   default_domain = SRV.TEST.LAN
>>  }
>>
>> [domain_realm]
>>  .test.lan = SRV.TEST.LAN
>>  test.lan = SRV.TEST.LAN
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 24000
>>    renew_lifetime = 36000
>>    forwardable = true
>>    krb4_convert = false
>>  }
>>
>> When I use "kinit" everything works fine. With every valid login I get
> a
>> ticket...
>>
>>
>> Then I created the keytab file, set with a valid user and password for
>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
> 
> Leave  off the :8080
> 
>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>
>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>> everything works fine... I get a ticket...
>>
>> Now I wanna setup the twiki to use kerberos to authenticate with...
>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
> is
>> like following:
>> Order Deny,Allow
>> Allow from all
>>    
>> AuthType Kerberos
>> KrbAuthRealms SRV.TEST.LAN
>> KrbServiceName HTTP
>> Krb5Keytab /etc/http.keytab
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> Require valid-user
>>
>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
> prompts...
>> I enter a valid login, but the box stays...
>>
>> In the log it says:
>> failed to verify krb5 credentials: Server not found in Kerberos
> database
>> What is wrong? Can someone help me?! :(
>>
>> Greets,
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list