Prob: failed to verify krb5 credentials: Server not in=

Paul Moore paul.moore at centrify.com
Tue Feb 3 18:29:20 EST 2009 

there are 2 user accounts

a) one for the application 
b) one (or more) for the user you are logging on with

user (a) must have an SPD of http/wiki.test.lan , the actual upn does
not matter wikiwebserver will do nicely
user (b) is just a regular use




-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 4:21 PM
To: deengert at anl.gov
Cc: Paul Moore; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not in=

>  Who owns /etc/http.keytab? Apache needs access to the file.

The apache has access to the keytab. I also put the keytab directly into
the twiki web directory itself. Made no change...

> Does hostname on the unix system show the FQDN: wiki.test.lan?

I did a nslookup on the unix system and it showed me the server as
wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong
with that?

> How did you create this account, and why do you think the key and kvno
in the
> keytab matche what is in AD?

I created the account on the AD manually... Then I created the keytab
file by using ktpass with the SPN, the username, the password and some
other things for the encryption. I can give you the complete exact
information tomorrow...

> As Paul said:  Wireshark. It can parse Kerberos packets.

Okay, I got some experience with wireshark, just did not think about
it...
Ill try it out :)

> there needs to be a principal (user or computer) in AD with a Service
> Principal Name equal to http/wiki.test.len
>
> this gets created for a windows machine when the machine joins
>
> you seem to be doing this by hand. So you must use setspn (addspn? I
> forget) to add an SPN to the user or machine account for which you
have
> created the keytab. Or adsiedit will do it
>
> shameless commercial plug: you could always use a commercial solution
> such as Centrify DirectControl , it will do the right thing
> automatically for you

Mh... I dont know if I get you right... Currently the users name at the
AD, thats also in the keytab file, is TWikiUser. So I have to change its
username to http/wiki.test.lan?

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20


> Two more things:
>  Who owns /etc/http.keytab? Apache needs access to the file.
> 
> Does hostname on the unix system show the FQDN: wiki.test.lan?
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> First of all, thanks for your answers and interest.
>> 
>> I already tried it without the port, because I realized, short after
I sent my first mail, that the port is really not part of the name.
>> 
>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
>> Kinit still works, but the "Server not in kerberos database" problem
still remains.
>> 
>> @Paul Moore: What do you mean, with "an AD account with that SPN"?
Could you be just a little more specific? Its late over here in germany
;)
>> 
>> I had created an extra user and password at the AD. This login is
saved inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> BTW: Is there a way, to find out, what adress the server is looking
for? 
>> 
>> Greets,
>> 
>> 
>> ----- Original Message ----- 
>> From: "Paul Moore" <paul.moore at centrify.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
>> Sent: Tuesday, February 03, 2009 11:14 PM
>> Subject: RE: Prob: failed to verify krb5 credentials: Server not
found in Kerb
>> 
>> 
>> for sure the port number should not be in the SPN. I didnt even
notice
>> that. I was wondering if there is any principal at all
>> 
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Tuesday, February 03, 2009 2:13 PM
>> To: Paul Moore
>> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
>> Subject: Re: Prob: failed to verify krb5 credentials: Server not
found
>> in Kerb
>> 
>> 
>> 
>> Paul Moore wrote:
>>> is there an AD account with that SPN?
>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> The port number :8080 is usually not part of the principal name.
>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> 
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>>> Behalf Of slaindevil at kabelmail.de
>>> Sent: Tuesday, February 03, 2009 6:28 AM
>>> To: kerberos at mit.edu
>>> Subject: Prob: failed to verify krb5 credentials: Server not found
in
>>> Kerb
>>>
>>> Hey guys,
>>>
>>> I am short before dispairing :(
>>>
>>> Maybe someone has time and likes to help me? :)
>>>
>>> I am trying to set up kerberos to authenticate a
>>> TWiki running on Unix against an Windows Server 2003 Active
>> Directory...
>>> I configured the krb5.conf like this:
>>>
>>> [logging]
>>>  ...
>>>
>>> [libdefaults]
>>>  default_realm = SRV.TEST.LAN
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24000
>>>  forwardable = yes
>>>
>>> [realms]
>>>  SRV.TEST.LAN = {
>>>   kdc = location.srv.test.lan:88
>>>   admin_server =  location.srv.test.lan:749
>>>   default_domain = SRV.TEST.LAN
>>>  }
>>>
>>> [domain_realm]
>>>  .test.lan = SRV.TEST.LAN
>>>  test.lan = SRV.TEST.LAN
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 24000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> When I use "kinit" everything works fine. With every valid login I
get
>> a
>>> ticket...
>>>
>>>
>>> Then I created the keytab file, set with a valid user and password
for
>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> Leave  off the :8080
>> 
>>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>>
>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>>> everything works fine... I get a ticket...
>>>
>>> Now I wanna setup the twiki to use kerberos to authenticate with...
>>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
>> is
>>> like following:
>>> Order Deny,Allow
>>> Allow from all
>>>    
>>> AuthType Kerberos
>>> KrbAuthRealms SRV.TEST.LAN
>>> KrbServiceName HTTP
>>> Krb5Keytab /etc/http.keytab
>>> KrbMethodNegotiate on
>>> KrbMethodK5Passwd on
>>> Require valid-user
>>>
>>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
>> prompts...
>>> I enter a valid login, but the box stays...
>>>
>>> In the log it says:
>>> failed to verify krb5 credentials: Server not found in Kerberos
>> database
>>> What is wrong? Can someone help me?! :(
>>>
>>> Greets,
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>

More information about the Kerberos mailing list