Re: RE: Prob: failed to verify krb5 credentials: Server not

slaindevil@kabelmail.de slaindevil at kabelmail.de
Wed Feb 4 00:57:02 EST 2009


Yeah, I got several accounts.

The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.

Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit http://wiki.test.lan:8080.



-------- Kabel E-Mail Reply ---------------
From: paul.moore at centrify.com
To  : slaindevil at kabelmail.de;deengert at anl.gov
Date: 04.02.2009 00:29:27

there are 2 user accounts

a) one for the application 
b) one (or more) for the user you are logging on with

user (a) must have an SPD of http/wiki.test.lan , the actual upn does
not matter wikiwebserver will do nicely
user (b) is just a regular use




-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 4:21 PM
To: deengert at anl.gov
Cc: Paul Moore; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not in=

>  Who owns /etc/http.keytab? Apache needs access to the file.

The apache has access to the keytab. I also put the keytab directly into
the twiki web directory itself. Made no change...

> Does hostname on the unix system show the FQDN: wiki.test.lan?

I did a nslookup on the unix system and it showed me the server as
wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong
with that?

> How did you create this account, and why do you think the key and kvno
in the
> keytab matche what is in AD?

I created the account on the AD manually... Then I created the keytab
file by using ktpass with the SPN, the username, the password and some
other things for the encryption. I can give you the complete exact
information tomorrow...

> As Paul said:  Wireshark. It can parse Kerberos packets.

Okay, I got some experience with wireshark, just did not think about
it...
Ill try it out :)

> there needs to be a principal (user or computer) in AD with a Service
> Principal Name equal to http/wiki.test.len
>
> this gets created for a windows machine when the machine joins
>
> you seem to be doing this by hand. So you must use setspn (addspn? I
> forget) to add an SPN to the user or machine account for which you
have
> created the keytab. Or adsiedit will do it
>
> shameless commercial plug: you could always use a commercial solution
> such as Centrify DirectControl , it will do the right thing
> automatically for you

Mh... I dont know if I get you right... Currently the users name at the
AD, thats also in the keytab file, is TWikiUser. So I have to change its
username to http/wiki.test.lan?

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20


> Two more things:
>  Who owns /etc/http.keytab? Apache needs access to the file.
> 
> Does hostname on the unix system show the FQDN: wiki.test.lan?
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> First of all, thanks for your answers and interest.
>> 
>> I already tried it without the port, because I realized, short after
I sent my first mail, that the port is really not part of the name.
>> 
>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
>> Kinit still works, but the "Server not in kerberos database" problem
still remains.
>> 
>> @Paul Moore: What do you mean, with "an AD account with that SPN"?
Could you be just a little more specific? Its late over here in germany
;)
>> 
>> I had created an extra user and password at the AD. This login is
saved inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> BTW: Is there a way, to find out, what adress the server is looking
for? 
>> 
>> Greets,
>> 
>> 
>> ----- Original Message ----- 
>> From: "Paul Moore" <paul.moore at centrify.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
>> Sent: Tuesday, February 03, 2009 11:14 PM
>> Subject: RE: Prob: failed to verify krb5 credentials: Server not
found in Kerb
>> 
>> 
>> for sure the port number should not be in the SPN. I didnt even
notice
>> that. I was wondering if there is any principal at all
>> 
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Tuesday, February 03, 2009 2:13 PM
>> To: Paul Moore
>> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
>> Subject: Re: Prob: failed to verify krb5 credentials: Server not
found
>> in Kerb
>> 
>> 
>> 
>> Paul Moore wrote:
>>> is there an AD account with that SPN?
>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> The port number :8080 is usually not part of the principal name.
>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> 
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>>> Behalf Of slaindevil at kabelmail.de
>>> Sent: Tuesday, February 03, 2009 6:28 AM
>>> To: kerberos at mit.edu
>>> Subject: Prob: failed to verify krb5 credentials: Server not found
in
>>> Kerb
>>>
>>> Hey guys,
>>>
>>> I am short before dispairing :(
>>>
>>> Maybe someone has time and likes to help me? :)
>>>
>>> I am trying to set up kerberos to authenticate a
>>> TWiki running on Unix against an Windows Server 2003 Active
>> Directory...
>>> I configured the krb5.conf like this:
>>>
>>> [logging]
>>>  ...
>>>
>>> [libdefaults]
>>>  default_realm = SRV.TEST.LAN
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24000
>>>  forwardable = yes
>>>
>>> [realms]
>>>  SRV.TEST.LAN = {
>>>   kdc = location.srv.test.lan:88
>>>   admin_server =  location.srv.test.lan:749
>>>   default_domain = SRV.TEST.LAN
>>>  }
>>>
>>> [domain_realm]
>>>  .test.lan = SRV.TEST.LAN
>>>  test.lan = SRV.TEST.LAN
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 24000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> When I use "kinit" everything works fine. With every valid login I
get
>> a
>>> ticket...
>>>
>>>
>>> Then I created the keytab file, set with a valid user and password
for
>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> Leave  off the :8080
>> 
>>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>>
>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>>> everything works fine... I get a ticket...
>>>
>>> Now I wanna setup the twiki to use kerberos to authenticate with...
>>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
>> is
>>> like following:
>>> Order Deny,Allow
>>> Allow from all
>>>    
>>> AuthType Kerberos
>>> KrbAuthRealms SRV.TEST.LAN
>>> KrbServiceName HTTP
>>> Krb5Keytab /etc/http.keytab
>>> KrbMethodNegotiate on
>>> KrbMethodK5Passwd on
>>> Require valid-user
>>>
>>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
>> prompts...
>>> I enter a valid login, but the box stays...
>>>
>>> In the log it says:
>>> failed to verify krb5 credentials: Server not found in Kerberos
>> database
>>> What is wrong? Can someone help me?! :(
>>>
>>> Greets,
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>







More information about the Kerberos mailing list