Your problem is the host name is not a FQDN. It is returning wiki. which the server tries to user in a principal name: HTTP/wiki. This is not found in the KDC.
type the command hostname and see what it says. Usually changing the /etc/hosts file from: n.n.n.n wiki to: n.n.n.n wiki.test.lan wiki Also read man page on hostname, as there may be a hostname.something with the name wike. [email protected] wrote: > Okay... I used "tcpdump -s 65535 -w out.dump" to generate a dump of the > network traffic and loaded it into Wireshark with the kerberos filter on... > > I get the following: > The ticket: > Client Realm: SRV.TEST.LAN > Client Name (Principal): SlainDevil > Tkt-vno: 5 > Realm: SRV.TEST.LAN > Server Name (Unknown): krbtgt/SRV.TEST.LAN > Encryption type: rc4-hmac (23) > Encryption type: des-cbc-md5 (3) > > And then the error message: > error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > Realm: SRV.TEST.LAN > Server Name (Service and Host): HTTP/wiki > > I guess the last point is the mistake, isnt it? It should be > HTTP/wiki.test.lan? > Anyone got a clue how to fix that? Currently I got no idea why this > happens... :( > > > -------- Kabel E-Mail Reply --------------- > From: [email protected] > To : [email protected];[email protected] > Date: 04.02.2009 01:35:12 > > > <html> > <text>So does that user have the correct spn. Adsiedit will tell > you</text> > <br /> > <br /> > <text>----- Original Message -----</text> > <br /> > <text>From:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected] "> > <text>[email protected]</text> > </a> > <[email protected] /> > <br /> > <text>To: Paul Moore;</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected] "> > <text>[email protected]</text> > </a> > <[email protected]> > <br /> > <text>Cc:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected] "> > <text>[email protected]</text> > </a> > <[email protected] /> > <br /> > <text>Sent: Tue Feb 03 16:57:02 2009</text> > <br /> > <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: > Server not</text> > <br /> > <br /> > <text>Yeah, I got several accounts.</text> > <br /> > <br /> > <text>The one for the application. Its name is TWikiUser. This name > and its password is in the keytab file for the authentication via Kerberos. > The authentication via the keytab file works. I tried it with "kinit -k -t > /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and > encryption type were allright.</text> > <br /> > <br /> > <text>Every user shall login with its already existing AD accounts. > These are the logins, which I try to enter in the login prompt when I > visit</text> > <a target="_blank" href="http://wiki.test.lan:8080";> > <text>http://wiki.test.lan:8080</text> > </a> > <text>.</text> > <br /> > <br /> > <br /> > <br /> > <text>-------- Kabel E-Mail Reply ---------------</text> > <br /> > <text>From:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected]"> > <text>[email protected]</text> > </a> > <text>To : [email protected];[email protected]</text> > <br /> > <text>Date: 04.02.2009 00:29:27</text> > <br /> > <br /> > <text>there are 2 user accounts</text> > <br /> > <br /> > <text>a) one for the application</text> > <br /> > <text>b) one (or more) for the user you are logging on with</text> > <br /> > <br /> > <text>user (a) must have an SPD of http/wiki.test.lan , the actual > upn does</text> > <br /> > <text>not matter wikiwebserver will do nicely</text> > <br /> > <text>user (b) is just a regular use</text> > <br /> > <br /> > <br /> > <br /> > <br /> > <text>-----Original Message-----</text> > <br /> > <text>From:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected] "> > <text>[email protected]</text> > </a> > <text>[mailto:[email protected]]</text> > <br /> > <text>Sent: Tuesday, February 03, 2009 4:21 PM</text> > <br /> > <text>To:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected]"> > <text>[email protected]</text> > </a> > <text>Cc: Paul Moore;</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected]"> > <text>[email protected]</text> > </a> > <text>Subject: Re: Prob: failed to verify krb5 credentials: Server > not in=</text> > <br /> > <br /> > <text>> Who owns /etc/http.keytab? Apache needs access to the > file.</text> > <br /> > <br /> > <text>The apache has access to the keytab. I also put the keytab > directly into</text> > <br /> > <text>the twiki web directory itself. Made no change...</text> > <br /> > <br /> > <text>> Does hostname on the unix system show the FQDN: > wiki.test.lan?</text> > <br /> > <br /> > <text>I did a nslookup on the unix system and it showed me the server > as</text> > <br /> > <text>wiki.test.lan.</text> > <br /> > <text>I thought this would be enough on finding out the FQDN... Am I > wrong</text> > <br /> > <text>with that?</text> > <br /> > <br /> > <text>> How did you create this account, and why do you think the key > and kvno</text> > <br /> > <text>in the</text> > <br /> > <text>> keytab matche what is in AD?</text> > <br /> > <br /> > <text>I created the account on the AD manually... Then I created the > keytab</text> > <br /> > <text>file by using ktpass with the SPN, the username, the password > and some</text> > <br /> > <text>other things for the encryption. I can give you the complete > exact</text> > <br /> > <text>information tomorrow...</text> > <br /> > <br /> > <text>> As Paul said: Wireshark. It can parse Kerberos > packets.</text> > <br /> > <br /> > <text>Okay, I got some experience with wireshark, just did not think > about</text> > <br /> > <text>it...</text> > <br /> > <text>Ill try it out :)</text> > <br /> > <br /> > <text>> there needs to be a principal (user or computer) in AD with a > Service</text> > <br /> > <text>> Principal Name equal to http/wiki.test.len</text> > <br /> > <text>></text> > <br /> > <text>> this gets created for a windows machine when the machine > joins</text> > <br /> > <text>></text> > <br /> > <text>> you seem to be doing this by hand. So you must use setspn > (addspn? I</text> > <br /> > <text>> forget) to add an SPN to the user or machine account for > which you</text> > <br /> > <text>have</text> > <br /> > <text>> created the keytab. Or adsiedit will do it</text> > <br /> > <text>></text> > <br /> > <text>> shameless commercial plug: you could always use a commercial > solution</text> > <br /> > <text>> such as Centrify DirectControl , it will do the right > thing</text> > <br /> > <text>> automatically for you</text> > <br /> > <br /> > <text>Mh... I dont know if I get you right... Currently the users > name at the</text> > <br /> > <text>AD, thats also in the keytab file, is TWikiUser. So I have to > change its</text> > <br /> > <text>username to http/wiki.test.lan?</text> > <br /> > <br /> > <text>Greets,</text> > <br /> > <br /> > <br /> > <text>----- Original Message -----</text> > <br /> > <text>From: "Douglas E. Engert"</text> > <[email protected]> > <br /> > <text>To:</text> > <[email protected] /> > <br /> > <text>Cc:</text> > <[email protected] /> > <text>;</text> > <[email protected] /> > <br /> > <text>Sent: Wednesday, February 04, 2009 12:07 AM</text> > <br /> > <text>Subject: Re: Prob: failed to verify krb5 credentials: > Server not found</text> > <br /> > <text>in=20</text> > <br /> > <br /> > <br /> > <text>> Two more things:</text> > <br /> > <text>> Who owns /etc/http.keytab? Apache needs access to the > file.</text> > <br /> > <text>></text> > <br /> > <text>> Does hostname on the unix system show the FQDN: > wiki.test.lan?</text> > <br /> > <text>></text> > <br /> > <text>></text> > <br /> > <text>></text> > <br /> > <text>></text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected] "> > <text>[email protected]</text> > </a> > <text>wrote:</text> > <br /> > <text>>> First of all, thanks for your answers and > interest.</text> > <br /> > <text>>></text> > <br /> > <text>>> I already tried it without the port, because I realized, > short after</text> > <br /> > <text>I sent my first mail, that the port is really not part of > the name.</text> > <br /> > <text>>></text> > <br /> > <text>>> So I recreated the keytab file with > HTTP/[email protected].</text> > <br /> > <text>>> Kinit still works, but the "Server not in kerberos > database" problem</text> > <br /> > <text>still remains.</text> > <br /> > <text>>></text> > <br /> > <text>>> @Paul Moore: What do you mean, with "an AD account with > that SPN"?</text> > <br /> > <text>Could you be just a little more specific? Its late over > here in germany</text> > <br /> > <text>;)</text> > <br /> > <text>>></text> > <br /> > <text>>> I had created an extra user and password at the AD. This > login is</text> > <br /> > <text>saved inside of the keytab together with the SPN:</text> > <br /> > <text>HTTP/[email protected]</text> > <br /> > <text>>></text> > <br /> > <text>>> BTW: Is there a way, to find out, what adress the server > is looking</text> > <br /> > <text>for?</text> > <br /> > <text>>></text> > <br /> > <text>>> Greets,</text> > <br /> > <text>>></text> > <br /> > <text>>></text> > <br /> > <text>>> ----- Original Message -----</text> > <br /> > <text>>> From: "Paul Moore"</text> > <[email protected] /> > <br /> > <text>>> To: "Douglas E. Engert"</text> > <[email protected]> > <br /> > <text>>> Cc:</text> > <[email protected] /> > <text>;</text> > <[email protected] /> > <br /> > <text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text> > <br /> > <text>>> Subject: RE: Prob: failed to verify krb5 > credentials: Server not</text> > <br /> > <text>found in Kerb</text> > <br /> > <text>>></text> > <br /> > <text>>></text> > <br /> > <text>>> for sure the port number should not be in the SPN. I > didnt even</text> > <br /> > <text>notice</text> > <br /> > <text>>> that. I was wondering if there is any principal at > all</text> > <br /> > <text>>></text> > <br /> > <text>>> -----Original Message-----</text> > <br /> > <text>>> From: Douglas E. Engert > [mailto:[email protected]]</text> > <br /> > <text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text> > <br /> > <text>>> To: Paul Moore</text> > <br /> > <text>>> Cc: [email protected];</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected]"> > <text>[email protected]</text> > </a> > <text>>> Subject: Re: Prob: failed to verify krb5 > credentials: Server not</text> > <br /> > <text>found</text> > <br /> > <text>>> in Kerb</text> > <br /> > <text>>></text> > <br /> > <text>>></text> > <br /> > <text>>></text> > <br /> > <text>>> Paul Moore wrote:</text> > <br /> > <text>>>> is there an AD account with that SPN?</text> > <br /> > <text>>>> HTTP/wiki.test.lan:[email protected]</text> > <br /> > <text>>></text> > <br /> > <text>>> The port number :8080 is usually not part of the > principal name.</text> > <br /> > <text>>> So the browser may be looking for > HTTP/[email protected]</text> > <br /> > <text>>></text> > <br /> > <text>>></text> > <br /> > <text>>>> -----Original Message-----</text> > <br /> > <text>>>> From:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected] "> > <text>[email protected]</text> > </a> > <text>[mailto:[email protected]] On</text> > <br /> > <text>>>> Behalf Of</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected]"> > <text>[email protected]</text> > </a> > <text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text> > <br /> > <text>>>> To:</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected]"> > <text>[email protected]</text> > </a> > <text>>>> Subject: Prob: failed to verify krb5 credentials: > Server not found</text> > <br /> > <text>in</text> > <br /> > <text>>>> Kerb</text> > <br /> > <text>>>></text> > <br /> > <text>>>> Hey guys,</text> > <br /> > <text>>>></text> > <br /> > <text>>>> I am short before dispairing :(</text> > <br /> > <text>>>></text> > <br /> > <text>>>> Maybe someone has time and likes to help me? > :)</text> > <br /> > <text>>>></text> > <br /> > <text>>>> I am trying to set up kerberos to authenticate > a</text> > <br /> > <text>>>> TWiki running on Unix against an Windows Server > 2003 Active</text> > <br /> > <text>>> Directory...</text> > <br /> > <text>>>> I configured the krb5.conf like this:</text> > <br /> > <text>>>></text> > <br /> > <text>>>> [logging]</text> > <br /> > <text>>>> ...</text> > <br /> > <text>>>></text> > <br /> > <text>>>> [libdefaults]</text> > <br /> > <text>>>> default_realm = SRV.TEST.LAN</text> > <br /> > <text>>>> dns_lookup_realm = false</text> > <br /> > <text>>>> dns_lookup_kdc = false</text> > <br /> > <text>>>> ticket_lifetime = 24000</text> > <br /> > <text>>>> forwardable = yes</text> > <br /> > <text>>>></text> > <br /> > <text>>>> [realms]</text> > <br /> > <text>>>> SRV.TEST.LAN = {</text> > <br /> > <text>>>> kdc = location.srv.test.lan:88</text> > <br /> > <text>>>> admin_server = location.srv.test.lan:749</text> > <br /> > <text>>>> default_domain = SRV.TEST.LAN</text> > <br /> > <text>>>> }</text> > <br /> > <text>>>></text> > <br /> > <text>>>> [domain_realm]</text> > <br /> > <text>>>> .test.lan = SRV.TEST.LAN</text> > <br /> > <text>>>> test.lan = SRV.TEST.LAN</text> > <br /> > <text>>>></text> > <br /> > <text>>>> [appdefaults]</text> > <br /> > <text>>>> pam = {</text> > <br /> > <text>>>> debug = false</text> > <br /> > <text>>>> ticket_lifetime = 24000</text> > <br /> > <text>>>> renew_lifetime = 36000</text> > <br /> > <text>>>> forwardable = true</text> > <br /> > <text>>>> krb4_convert = false</text> > <br /> > <text>>>> }</text> > <br /> > <text>>>></text> > <br /> > <text>>>> When I use "kinit" everything works fine. With > every valid login I</text> > <br /> > <text>get</text> > <br /> > <text>>> a</text> > <br /> > <text>>>> ticket...</text> > <br /> > <text>>>></text> > <br /> > <text>>>></text> > <br /> > <text>>>> Then I created the keytab file, set with a valid > user and password</text> > <br /> > <text>for</text> > <br /> > <text>>>> the service: > HTTP/wiki.test.lan:[email protected]</text> > <br /> > <text>>></text> > <br /> > <text>>> Leave off the :8080</text> > <br /> > <text>>></text> > <br /> > <text>>>></text> > <a target="_blank" href="http://wiki.test.lan:8080/bin";> > <text>http://wiki.test.lan:8080/bin</text> > </a> > <text>is the url I type into the browser...</text> > <br /> > <text>>>></text> > <br /> > <text>>>> When I use "kinit" with the keytab and > HTTP/wiki.test.lan:8080</text> > <br /> > <text>>>> everything works fine... I get a ticket...</text> > <br /> > <text>>>></text> > <br /> > <text>>>> Now I wanna setup the twiki to use kerberos to > authenticate with...</text> > <br /> > <text>>>> The httpd.conf for the "bin" directory at</text> > <a target="_blank" href="http://wiki.test.lan:8080/";> > <text>http://wiki.test.lan:8080/</text> > </a> > <br /> > <text>>> is</text> > <br /> > <text>>>> like following:</text> > <br /> > <text>>>> Order Deny,Allow</text> > <br /> > <text>>>> Allow from all</text> > <br /> > <text>>>></text> > <br /> > <text>>>> AuthType Kerberos</text> > <br /> > <text>>>> KrbAuthRealms SRV.TEST.LAN</text> > <br /> > <text>>>> KrbServiceName HTTP</text> > <br /> > <text>>>> Krb5Keytab /etc/http.keytab</text> > <br /> > <text>>>> KrbMethodNegotiate on</text> > <br /> > <text>>>> KrbMethodK5Passwd on</text> > <br /> > <text>>>> Require valid-user</text> > <br /> > <text>>>></text> > <br /> > <text>>>> When I browse to "</text> > <a target="_blank" href="http://wiki.srv.lan:8080/bin";> > <text>http://wiki.srv.lan:8080/bin</text> > </a> > <text>" the login box</text> > <br /> > <text>>> prompts...</text> > <br /> > <text>>>> I enter a valid login, but the box stays...</text> > <br /> > <text>>>></text> > <br /> > <text>>>> In the log it says:</text> > <br /> > <text>>>> failed to verify krb5 credentials: Server not found > in Kerberos</text> > <br /> > <text>>> database</text> > <br /> > <text>>>> What is wrong? Can someone help me?! :(</text> > <br /> > <text>>>></text> > <br /> > <text>>>> Greets,</text> > <br /> > <text>>>></text> > <br /> > <text>>>></text> > <br /> > <text>>>> > ________________________________________________</text> > <br /> > <text>>>> Kerberos mailing list</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected]"> > <text>[email protected]</text> > </a> > <text>>>></text> > <a target="_blank" > href="https://mailman.mit.edu/mailman/listinfo/kerberos";> > > <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text> > </a> > <br /> > <text>>>></text> > <br /> > <text>>>> > ________________________________________________</text> > <br /> > <text>>>> Kerberos mailing list</text> > <a href="/sites/mybox/forms/newmail.asp?sendto= > [email protected]"> > <text>[email protected]</text> > </a> > <text>>>></text> > <a target="_blank" > href="https://mailman.mit.edu/mailman/listinfo/kerberos";> > > <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text> > </a> > <br /> > <text>>>></text> > <br /> > <text>>>></text> > <br /> > <text>>></text> > <br /> > <text>></text> > <br /> > <text>> --</text> > <br /> > <text>></text> > <br /> > <text>> Douglas E. Engert</text> > <[email protected]> > <br /> > <text>> Argonne National Laboratory</text> > <br /> > <text>> 9700 South Cass Avenue</text> > <br /> > <text>> Argonne, Illinois 60439</text> > <br /> > <text>> (630) 252-5444</text> > <br /> > <text>></text> > <br /> > <br /> > <br /> > <br /> > </[email protected]> > </[email protected]> > </[email protected]> > </[email protected]> > </html> > > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
