Re: RE: Prob: failed to verify krb5 credentials: Server not
- From: "slaindevil@xxxxxxxxxxxx" <slaindevil@xxxxxxxxxxxx>
- Date: Wed, 04 Feb 2009 00:57:02
Yeah, I got several accounts.
The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.
Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit http://wiki.test.lan:8080.
-------- Kabel E-Mail Reply ---------------
From: paul.moore@xxxxxxxxxxxx
To : slaindevil@xxxxxxxxxxxx;deengert@xxxxxxx
Date: 04.02.2009 00:29:27
there are 2 user accounts
a) one for the application
b) one (or more) for the user you are logging on with
user (a) must have an SPD of http/wiki.test.lan , the actual upn does
not matter wikiwebserver will do nicely
user (b) is just a regular use
-----Original Message-----
From: slaindevil@xxxxxxxxxxxx [mailto:slaindevil@xxxxxxxxxxxx]
Sent: Tuesday, February 03, 2009 4:21 PM
To: deengert@xxxxxxx
Cc: Paul Moore; kerberos@xxxxxxx
Subject: Re: Prob: failed to verify krb5 credentials: Server not in=
Who owns /etc/http.keytab? Apache needs access to the file.
The apache has access to the keytab. I also put the keytab directly into
the twiki web directory itself. Made no change...
Does hostname on the unix system show the FQDN: wiki.test.lan?
I did a nslookup on the unix system and it showed me the server as
wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong
with that?
How did you create this account, and why do you think the key and kvnoin the
keytab matche what is in AD?
I created the account on the AD manually... Then I created the keytab
file by using ktpass with the SPN, the username, the password and some
other things for the encryption. I can give you the complete exact
information tomorrow...
As Paul said: Wireshark. It can parse Kerberos packets.
Okay, I got some experience with wireshark, just did not think about
it...
Ill try it out :)
there needs to be a principal (user or computer) in AD with a Servicehave
Principal Name equal to http/wiki.test.len
this gets created for a windows machine when the machine joins
you seem to be doing this by hand. So you must use setspn (addspn? I
forget) to add an SPN to the user or machine account for which you
created the keytab. Or adsiedit will do it
shameless commercial plug: you could always use a commercial solution
such as Centrify DirectControl , it will do the right thing
automatically for you
Mh... I dont know if I get you right... Currently the users name at the
AD, thats also in the keytab file, is TWikiUser. So I have to change its
username to http/wiki.test.lan?
Greets,
----- Original Message -----
From: "Douglas E. Engert" <deengert@xxxxxxx>
To: <slaindevil@xxxxxxxxxxxx>
Cc: <paul.moore@xxxxxxxxxxxx>; <kerberos@xxxxxxx>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20
Two more things:I sent my first mail, that the port is really not part of the name.
Who owns /etc/http.keytab? Apache needs access to the file.
Does hostname on the unix system show the FQDN: wiki.test.lan?
slaindevil@xxxxxxxxxxxx wrote:
First of all, thanks for your answers and interest.
I already tried it without the port, because I realized, short after
still remains.
So I recreated the keytab file with HTTP/wiki.test.lan@xxxxxxxxxxxxx
Kinit still works, but the "Server not in kerberos database" problem
Could you be just a little more specific? Its late over here in germany
@Paul Moore: What do you mean, with "an AD account with that SPN"?
;)
saved inside of the keytab together with the SPN:
I had created an extra user and password at the AD. This login is
HTTP/wiki.test.lan@xxxxxxxxxxxx
for?
BTW: Is there a way, to find out, what adress the server is looking
found in Kerb
Greets,
----- Original Message -----
From: "Paul Moore" <paul.moore@xxxxxxxxxxxx>
To: "Douglas E. Engert" <deengert@xxxxxxx>
Cc: <slaindevil@xxxxxxxxxxxx>; <kerberos@xxxxxxx>
Sent: Tuesday, February 03, 2009 11:14 PM
Subject: RE: Prob: failed to verify krb5 credentials: Server not
notice
for sure the port number should not be in the SPN. I didnt even
foundthat. I was wondering if there is any principal at all
-----Original Message-----
From: Douglas E. Engert [mailto:deengert@xxxxxxx]
Sent: Tuesday, February 03, 2009 2:13 PM
To: Paul Moore
Cc: slaindevil@xxxxxxxxxxxx; kerberos@xxxxxxx
Subject: Re: Prob: failed to verify krb5 credentials: Server not
inin Kerb
Paul Moore wrote:
is there an AD account with that SPN?
HTTP/wiki.test.lan:8080@xxxxxxxxxxxx
The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan@xxxxxxxxxxxx
-----Original Message-----
From: kerberos-bounces@xxxxxxx [mailto:kerberos-bounces@xxxxxxx] On
Behalf Of slaindevil@xxxxxxxxxxxx
Sent: Tuesday, February 03, 2009 6:28 AM
To: kerberos@xxxxxxx
Subject: Prob: failed to verify krb5 credentials: Server not found
getKerbDirectory...
Hey guys,
I am short before dispairing :(
Maybe someone has time and likes to help me? :)
I am trying to set up kerberos to authenticate a
TWiki running on Unix against an Windows Server 2003 Active
I configured the krb5.conf like this:
[logging]
...
[libdefaults]
default_realm = SRV.TEST.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24000
forwardable = yes
[realms]
SRV.TEST.LAN = {
kdc = location.srv.test.lan:88
admin_server = location.srv.test.lan:749
default_domain = SRV.TEST.LAN
}
[domain_realm]
.test.lan = SRV.TEST.LAN
test.lan = SRV.TEST.LAN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
When I use "kinit" everything works fine. With every valid login I
fora
ticket...
Then I created the keytab file, set with a valid user and password
the service: HTTP/wiki.test.lan:8080@xxxxxxxxxxxx
Leave off the :8080
http://wiki.test.lan:8080/bin is the url I type into the browser...is
When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
everything works fine... I get a ticket...
Now I wanna setup the twiki to use kerberos to authenticate with...
The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
like following:prompts...
Order Deny,Allow
Allow from all
AuthType Kerberos
KrbAuthRealms SRV.TEST.LAN
KrbServiceName HTTP
Krb5Keytab /etc/http.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user
When I browse to "http://wiki.srv.lan:8080/bin"; the login box
I enter a valid login, but the box stays...database
In the log it says:
failed to verify krb5 credentials: Server not found in Kerberos
What is wrong? Can someone help me?! :(
Greets,
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- Prev by Date: RE: Prob: failed to verify krb5 credentials: Server not in=
- Next by Date: Re: Re: RE: Prob: failed to verify krb5 credentials: Server not
- Previous by thread: RE: Prob: failed to verify krb5 credentials: Server not in=
- Next by thread: Re: Re: RE: Prob: failed to verify krb5 credentials: Server not
- Index(es):
Relevant Pages
|
