Prob: failed to verify krb5 credentials: Server not found in=20
Douglas E. Engert
deengert at anl.gov
Tue Feb 3 18:07:56 EST 2009
Two more things:
Who owns /etc/http.keytab? Apache needs access to the file.
Does hostname on the unix system show the FQDN: wiki.test.lan?
slaindevil at kabelmail.de wrote:
> First of all, thanks for your answers and interest.
>
> I already tried it without the port, because I realized, short after I sent my first mail, that the port is really not part of the name.
>
> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
> Kinit still works, but the "Server not in kerberos database" problem still remains.
>
> @Paul Moore: What do you mean, with "an AD account with that SPN"? Could you be just a little more specific? Its late over here in germany ;)
>
> I had created an extra user and password at the AD. This login is saved inside of the keytab together with the SPN: HTTP/wiki.test.lan at SRV.TEST.LAN
>
> BTW: Is there a way, to find out, what adress the server is looking for?
>
> Greets,
>
>
> ----- Original Message -----
> From: "Paul Moore" <paul.moore at centrify.com>
> To: "Douglas E. Engert" <deengert at anl.gov>
> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
> Sent: Tuesday, February 03, 2009 11:14 PM
> Subject: RE: Prob: failed to verify krb5 credentials: Server not found in Kerb
>
>
> for sure the port number should not be in the SPN. I didnt even notice
> that. I was wondering if there is any principal at all
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Tuesday, February 03, 2009 2:13 PM
> To: Paul Moore
> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
> Subject: Re: Prob: failed to verify krb5 credentials: Server not found
> in Kerb
>
>
>
> Paul Moore wrote:
>> is there an AD account with that SPN?
>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>
> The port number :8080 is usually not part of the principal name.
> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>
>
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>> Behalf Of slaindevil at kabelmail.de
>> Sent: Tuesday, February 03, 2009 6:28 AM
>> To: kerberos at mit.edu
>> Subject: Prob: failed to verify krb5 credentials: Server not found in
>> Kerb
>>
>> Hey guys,
>>
>> I am short before dispairing :(
>>
>> Maybe someone has time and likes to help me? :)
>>
>> I am trying to set up kerberos to authenticate a
>> TWiki running on Unix against an Windows Server 2003 Active
> Directory...
>> I configured the krb5.conf like this:
>>
>> [logging]
>> ...
>>
>> [libdefaults]
>> default_realm = SRV.TEST.LAN
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24000
>> forwardable = yes
>>
>> [realms]
>> SRV.TEST.LAN = {
>> kdc = location.srv.test.lan:88
>> admin_server = location.srv.test.lan:749
>> default_domain = SRV.TEST.LAN
>> }
>>
>> [domain_realm]
>> .test.lan = SRV.TEST.LAN
>> test.lan = SRV.TEST.LAN
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 24000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> When I use "kinit" everything works fine. With every valid login I get
> a
>> ticket...
>>
>>
>> Then I created the keytab file, set with a valid user and password for
>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>
> Leave off the :8080
>
>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>
>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>> everything works fine... I get a ticket...
>>
>> Now I wanna setup the twiki to use kerberos to authenticate with...
>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
> is
>> like following:
>> Order Deny,Allow
>> Allow from all
>>
>> AuthType Kerberos
>> KrbAuthRealms SRV.TEST.LAN
>> KrbServiceName HTTP
>> Krb5Keytab /etc/http.keytab
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> Require valid-user
>>
>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
> prompts...
>> I enter a valid login, but the box stays...
>>
>> In the log it says:
>> failed to verify krb5 credentials: Server not found in Kerberos
> database
>> What is wrong? Can someone help me?! :(
>>
>> Greets,
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list