In the manual by Jim Rome, "How to Kerberize your site "(http://www.ornl.gov/~jar/HowToKerb.html#Configure), all examples are in lowercare. So I think there might be a DNS issue, or I used the parameters of the gss-server improperly.
The server's command line usage is gss-server [-port port] [-verbose] [-once] [-inetd] [-export] [-logfile file] service_name where service_name is a GSS-API service name of the form"[EMAIL PROTECTED]" (or just "service", in which case the local host name is used). Now I have 2 machines, the KDC server is called A, and the application server is called B. The gss-server in on the machine B.The keytab file has been generated on the machine B: [EMAIL PROTECTED] gss-sample]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 test/[EMAIL PROTECTED] When I try to run gss-server using the command:"./gss-server -port 8888 -once test/[EMAIL PROTECTED]", output: [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -once test/[EMAIL PROTECTED] GSS-API error acquiring credentials: An invalid name was supplied GSS-API error acquiring credentials: Hostname cannot be canonicalized When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin", output: [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -once test/admin GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information GSS-API error acquiring credentials: No principal in keytab matches desired name When I try to run gss-server using the command:"./gss-server -port 8888 -once test", output: [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -once test GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information GSS-API error acquiring credentials: No principal in keytab matches desired name In fact I don't know exactly what the service-name should be like. Is the errors above coursed by DNS problem?or by keytab file? ----- Original Message ----- From: "Michael B Allen" <[EMAIL PROTECTED]> To: "lizhong" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Monday, August 21, 2006 10:29 PM Subject: Re: gss-server error >A Kerberos realm is always in uppercase [1]. If you did *everything* > with a lowercase realm name I suspect things might work but perhaps not. > > Or, based on the second error, perhaps there is a DNS issue? > > Mike > > [1] The realm is effectively the DNS domain in uppercase and therefore > it is not uncommon to see lowercase names (e.g. DNS oriented software). > > On Mon, 21 Aug 2006 17:00:03 +0800 > "lizhong" <[EMAIL PROTECTED]> wrote: > >> I'm trying to test with gss-client and gss-server but am unsuccessful in >> getting it to work. >> >> I have setup a MIT Realm called test.com and added a client named >> test/[EMAIL PROTECTED] >> I am able to kinit and get a ticket from the KDC. >> >> [EMAIL PROTECTED] gss-sample]# kinit >> Password for test/[EMAIL PROTECTED]: >> kinit(v5): Password incorrect while getting initial credentials >> [EMAIL PROTECTED] gss-sample]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: test/[EMAIL PROTECTED] >> >> Valid starting Expires Service principal >> 08/21/06 15:45:15 08/22/06 15:45:15 krbtgt/[EMAIL PROTECTED] >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached >> [EMAIL PROTECTED] gss-sample]# >> >> But if I run "gss-server -port 8888 -verbose -once test/[EMAIL PROTECTED]", >> I met the following error: >> >> [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -verbose -once >> test/[EMAIL PROTECTED] >> GSS-API error acquiring credentials: An invalid name was supplied >> GSS-API error acquiring credentials: Hostname cannot be canonicalized >> >> I guess I used the service name in an improper way. So what service name >> should I use? Thank you for any help! >> >> >> > > > -- > Michael B Allen > PHP Active Directory SSO > http://www.ioplex.com/ > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
