Hi Thanks for spending time and effort. My problem came out to be a very stupid one. You were right when u said about [domain_realm] section.
I just added .quark.co.in = QDMS.CO.IN in krb5.conf . Next I imported keytab file into /etc/krb5/krb5.keytab using version 3. ktpass -kvno 3 -princ unix2/[EMAIL PROTECTED] -mapuser unix2 -pass unix2 -out blade.keytab The samples run perfectly now. Thanks to everyone who gave me small assistance. I nopw have few doubts. 1. Please let me know whether to generate a keytab file of version3 is the right way to go about. or It is a hack ????? 2. In [domain_realm] .quark.co.in = QDMS.CO.IN : means that domainname "quark.co.in" should have a relam of QDMS.CO.IN quark.co.in = QDMS.CO.IN : means what ???? Any help shall be appreciated. Regards Vikas -----Original Message----- From: Douglas E. Engert [mailto:[EMAIL PROTECTED] Sent: Monday, December 15, 2003 7:08 PM To: Vikas Gandhi Cc: [EMAIL PROTECTED] Subject: Re: Error while rrunning GSSAPI samples using SEAM (No principal inkeytab matches desired name ) Vikas Gandhi wrote: > > I have gone a step further and I am facing this problems:->Cannot contact > any KDC for requested realm > I have discuss the procedure below. > > I further read the MIT documentation for cross relam auth and found out that > the principal that was supposed to be generated by kinit was "ktpass -princ > sample1/[EMAIL PROTECTED] -mapuser sample -pass sample -out The principal sample1/[EMAIL PROTECTED] will not match the GSS name [EMAIL PROTECTED] When you import a GSS name, it is of the form <service>@<hostname> this will be used to find a principal of the form <service>/<fqdn>@<realm> where <fqdn> will be derived from <hostname> and <realm> will be derived from the <fqdn> by the Kerberos library. sample != sample1. You list two machines, beetle, and blade in the krb5.conf. Are there both a blade.qdms.co.in and a blade.quark.co.in? Are these two separate machines? Don't try and have a single machine in two realms, or with two DNS names until you get the basics working. You may need a [domain_realm] section. > blade.keytab". I created that and ran "./gss-server -port 4444 -mech > "1.2.840.113554.1.2.2" -verbose [EMAIL PROTECTED] " on solaris 9. At > least the server starts running. Next I kinit the user "[EMAIL PROTECTED]" for > obtaining the ticket from ADSI. I checked the event log and found that it > was correct. > Checking the klist shows > klist > Ticket cache: /tmp/krb5cc_1023 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires Service > principal > Sun Dec 14 13:12:22 2003 Sun Dec 14 23:12:22 2003 > krbtgt/[EMAIL PROTECTED] > > Next I try to run the GSSAPI samples in solaris 9 > ./gss-client -port 4444 -mech "1.2.840.113554.1.2.2" blade sample hello > GSS-API error initializing context: Unspecified GSS failure. Minor code may > provide more information > GSS-API error initializing context: Cannot contact any KDC for requested > realm > > I am not able to judge the problem at all. > My krb5.conf speaks (QDMS.CO.IN in Windows 2003 ADSI PDC and QUARK.CO.IN is > a Solaris 9 system) > ------------------ > [libdefaults] > default_realm = QDMS.CO.IN > # default_realm = QUARK.CO.IN > default_tgs_enctypes = des-cbc-crc > default_tkt_enctypes = des-cbc-crc > dns_lookup_kdc=true > dns_lookup_realm =true > > [realms] > QUARK.CO.IN= { > kdc = blade.quark.co.in > admin_server = blade.quark.co.in > } > QDMS.CO.IN= { > kdc = beetle.qdms.co.in:88 > admin_server = beetle.qdms.co.in > default_realm = QDMS.CO.IN > } > [capaths] > QUARK.CO.IN = { > QDMS.CO.IN = . > } > QDMS.CO.IN = { > QUARK.CO.IN = . > } > ----------------------------------------- > > FYI: The samples work well for SEAM. > > --Vikas > > -----Original Message----- > From: Douglas E. Engert [mailto:[EMAIL PROTECTED] > Sent: Friday, December 12, 2003 6:38 PM > To: Vikas Gandhi > Cc: [EMAIL PROTECTED] > Subject: Re: Error while rrunning GSSAPI samples using SEAM (No > principal inkeytab matches desired name ) > > Try using in Step 5: > ./gss-server -port 4444 -verbose [EMAIL PROTECTED] > > The GSS-API uses [EMAIL PROTECTED] which when use with Kerberos > Kerbeors GSSAPI is mapped to a principal of service/hostname > > Vikas Gandhi wrote: > > > > Hi All > > I am using SEAM and ADSI 2000. I have done cross relam and cross > > domain setup. The setup is fine. I am facing difficulties in running > > gssapi samples using ADSI (though the reverse I have done it i.e. > > using sspi samples using SEAM). > > The gssapi samples work fine for SEAM. But I do not know where I am > > mistaken when I try for ADSI-2000. > > WIN-OS: 2003 server > > WIN-DOMAIN: QDMS.CO.IN > > WIN-relam: QDMS.CO.IN > > win-host-name: beetle.qdms.co.in > > > > SUN-OS: solaris 9 > > SEAM-DOMAIN: QUARK.CO.IN > > win-host-name: blade.quark.co.in > > seam-relam: QUARK.CO.IN > > seam version: 1.01 > > As I have created a trust between the two domains and added kdc to the > > windows and created mappings, I can login to the windows easily using > > SEAM KDC. > > > > Step 1: I created a user windms in ADSI and gave windms and password > > windms. > > Step 2: ktpass -princ windms/beetle.qdms.co.in -mapuser windms -pass > > windms -out blade.keytab > > Step 3: I ftp that file in sun server and used ktutil to input in > > /etc/krb5/krb5.keytab > > Step 4: kinit -k -t /etc/krb5/krb5.keytab > > windms/[EMAIL PROTECTED] > > works fins and I get the ticket. > > Step 5: ./gss-server -port 4444 -verbose windms/beetle.qdms.co.in > > GSS-API error acquiring credentials: Unspecified GSS failure. Minor > > code may provide more information > > GSS-API error acquiring credentials: No principal in keytab matches > > desired name > > > > I do not know where the error lies. > > My /etc/hosts file says the following > > X.X.X.X blade.qdms.co.in blade.quark.co.in blade > > X.X.X.X beetle beetle.qdms.co.in beetle.quark.co.in > > > > My /etc/resolv.conf says > > domain quark.co.in > > nameserver X.X.X.X > > nameserver X.X.X.X > > search quark.co.in qdms.co.in > > > > Regards > > Vikas > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
