Ok, it works fine now! I changed the FQDN! Thank you very much for your effort and time!
Greets, ----- Original Message ----- From: "Douglas E. Engert" <[email protected]> To: <[email protected]> Cc: <[email protected]>; <[email protected]> Sent: Wednesday, February 04, 2009 4:00 PM Subject: Re: Prob: failed to verify krb5 credentials: Server not > Your problem is the host name is not a FQDN. It is returning wiki. > which the server tries to user in a principal name: HTTP/wiki. > This is not found in the KDC. > > type the command hostname and see what it says. > > Usually changing the /etc/hosts file from: > n.n.n.n wiki > to: > n.n.n.n wiki.test.lan wiki > > Also read man page on hostname, as there may be a hostname.something > with the name wike. > > > > [email protected] wrote: >> Okay... I used "tcpdump -s 65535 -w out.dump" to generate a dump of the >> network traffic and loaded it into Wireshark with the kerberos filter on... >> >> I get the following: >> The ticket: >> Client Realm: SRV.TEST.LAN >> Client Name (Principal): SlainDevil >> Tkt-vno: 5 >> Realm: SRV.TEST.LAN >> Server Name (Unknown): krbtgt/SRV.TEST.LAN >> Encryption type: rc4-hmac (23) >> Encryption type: des-cbc-md5 (3) >> >> And then the error message: >> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) >> Realm: SRV.TEST.LAN >> Server Name (Service and Host): HTTP/wiki >> >> I guess the last point is the mistake, isnt it? It should be >> HTTP/wiki.test.lan? >> Anyone got a clue how to fix that? Currently I got no idea why this >> happens... :( >> >> >> -------- Kabel E-Mail Reply --------------- >> From: [email protected] >> To : [email protected];[email protected] >> Date: 04.02.2009 01:35:12 >> >> >> <html> >> <text>So does that user have the correct spn. Adsiedit will tell >> you</text> >> <br /> >> <br /> >> <text>----- Original Message -----</text> >> <br /> >> <text>From:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected] >> "> >> <text>[email protected]</text> >> </a> >> <[email protected] /> >> <br /> >> <text>To: Paul Moore;</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected] "> >> <text>[email protected]</text> >> </a> >> <[email protected]> >> <br /> >> <text>Cc:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected] "> >> <text>[email protected]</text> >> </a> >> <[email protected] /> >> <br /> >> <text>Sent: Tue Feb 03 16:57:02 2009</text> >> <br /> >> <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: >> Server not</text> >> <br /> >> <br /> >> <text>Yeah, I got several accounts.</text> >> <br /> >> <br /> >> <text>The one for the application. Its name is TWikiUser. This name >> and its password is in the keytab file for the authentication via Kerberos. >> The authentication via the keytab file works. I tried it with "kinit -k -t >> /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and >> encryption type were allright.</text> >> <br /> >> <br /> >> <text>Every user shall login with its already existing AD accounts. >> These are the logins, which I try to enter in the login prompt when I >> visit</text> >> <a target="_blank" href="http://wiki.test.lan:8080";> >> <text>http://wiki.test.lan:8080</text> >> </a> >> <text>.</text> >> <br /> >> <br /> >> <br /> >> <br /> >> <text>-------- Kabel E-Mail Reply ---------------</text> >> <br /> >> <text>From:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>To : [email protected];[email protected]</text> >> <br /> >> <text>Date: 04.02.2009 00:29:27</text> >> <br /> >> <br /> >> <text>there are 2 user accounts</text> >> <br /> >> <br /> >> <text>a) one for the application</text> >> <br /> >> <text>b) one (or more) for the user you are logging on with</text> >> <br /> >> <br /> >> <text>user (a) must have an SPD of http/wiki.test.lan , the actual >> upn does</text> >> <br /> >> <text>not matter wikiwebserver will do nicely</text> >> <br /> >> <text>user (b) is just a regular use</text> >> <br /> >> <br /> >> <br /> >> <br /> >> <br /> >> <text>-----Original Message-----</text> >> <br /> >> <text>From:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected] "> >> <text>[email protected]</text> >> </a> >> <text>[mailto:[email protected]]</text> >> <br /> >> <text>Sent: Tuesday, February 03, 2009 4:21 PM</text> >> <br /> >> <text>To:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>Cc: Paul Moore;</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>Subject: Re: Prob: failed to verify krb5 credentials: Server >> not in=</text> >> <br /> >> <br /> >> <text>> Who owns /etc/http.keytab? Apache needs access to the >> file.</text> >> <br /> >> <br /> >> <text>The apache has access to the keytab. I also put the keytab >> directly into</text> >> <br /> >> <text>the twiki web directory itself. Made no change...</text> >> <br /> >> <br /> >> <text>> Does hostname on the unix system show the FQDN: >> wiki.test.lan?</text> >> <br /> >> <br /> >> <text>I did a nslookup on the unix system and it showed me the >> server as</text> >> <br /> >> <text>wiki.test.lan.</text> >> <br /> >> <text>I thought this would be enough on finding out the FQDN... Am I >> wrong</text> >> <br /> >> <text>with that?</text> >> <br /> >> <br /> >> <text>> How did you create this account, and why do you think the >> key and kvno</text> >> <br /> >> <text>in the</text> >> <br /> >> <text>> keytab matche what is in AD?</text> >> <br /> >> <br /> >> <text>I created the account on the AD manually... Then I created the >> keytab</text> >> <br /> >> <text>file by using ktpass with the SPN, the username, the password >> and some</text> >> <br /> >> <text>other things for the encryption. I can give you the complete >> exact</text> >> <br /> >> <text>information tomorrow...</text> >> <br /> >> <br /> >> <text>> As Paul said: Wireshark. It can parse Kerberos >> packets.</text> >> <br /> >> <br /> >> <text>Okay, I got some experience with wireshark, just did not think >> about</text> >> <br /> >> <text>it...</text> >> <br /> >> <text>Ill try it out :)</text> >> <br /> >> <br /> >> <text>> there needs to be a principal (user or computer) in AD with >> a Service</text> >> <br /> >> <text>> Principal Name equal to http/wiki.test.len</text> >> <br /> >> <text>></text> >> <br /> >> <text>> this gets created for a windows machine when the machine >> joins</text> >> <br /> >> <text>></text> >> <br /> >> <text>> you seem to be doing this by hand. So you must use setspn >> (addspn? I</text> >> <br /> >> <text>> forget) to add an SPN to the user or machine account for >> which you</text> >> <br /> >> <text>have</text> >> <br /> >> <text>> created the keytab. Or adsiedit will do it</text> >> <br /> >> <text>></text> >> <br /> >> <text>> shameless commercial plug: you could always use a commercial >> solution</text> >> <br /> >> <text>> such as Centrify DirectControl , it will do the right >> thing</text> >> <br /> >> <text>> automatically for you</text> >> <br /> >> <br /> >> <text>Mh... I dont know if I get you right... Currently the users >> name at the</text> >> <br /> >> <text>AD, thats also in the keytab file, is TWikiUser. So I have to >> change its</text> >> <br /> >> <text>username to http/wiki.test.lan?</text> >> <br /> >> <br /> >> <text>Greets,</text> >> <br /> >> <br /> >> <br /> >> <text>----- Original Message -----</text> >> <br /> >> <text>From: "Douglas E. Engert"</text> >> <[email protected]> >> <br /> >> <text>To:</text> >> <[email protected] /> >> <br /> >> <text>Cc:</text> >> <[email protected] /> >> <text>;</text> >> <[email protected] /> >> <br /> >> <text>Sent: Wednesday, February 04, 2009 12:07 AM</text> >> <br /> >> <text>Subject: Re: Prob: failed to verify krb5 credentials: >> Server not found</text> >> <br /> >> <text>in=20</text> >> <br /> >> <br /> >> <br /> >> <text>> Two more things:</text> >> <br /> >> <text>> Who owns /etc/http.keytab? Apache needs access to the >> file.</text> >> <br /> >> <text>></text> >> <br /> >> <text>> Does hostname on the unix system show the FQDN: >> wiki.test.lan?</text> >> <br /> >> <text>></text> >> <br /> >> <text>></text> >> <br /> >> <text>></text> >> <br /> >> <text>></text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected] "> >> <text>[email protected]</text> >> </a> >> <text>wrote:</text> >> <br /> >> <text>>> First of all, thanks for your answers and >> interest.</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> I already tried it without the port, because I >> realized, short after</text> >> <br /> >> <text>I sent my first mail, that the port is really not part of >> the name.</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> So I recreated the keytab file with >> HTTP/[email protected].</text> >> <br /> >> <text>>> Kinit still works, but the "Server not in kerberos >> database" problem</text> >> <br /> >> <text>still remains.</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> @Paul Moore: What do you mean, with "an AD account with >> that SPN"?</text> >> <br /> >> <text>Could you be just a little more specific? Its late over >> here in germany</text> >> <br /> >> <text>;)</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> I had created an extra user and password at the AD. >> This login is</text> >> <br /> >> <text>saved inside of the keytab together with the SPN:</text> >> <br /> >> <text>HTTP/[email protected]</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> BTW: Is there a way, to find out, what adress the >> server is looking</text> >> <br /> >> <text>for?</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> Greets,</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> ----- Original Message -----</text> >> <br /> >> <text>>> From: "Paul Moore"</text> >> <[email protected] /> >> <br /> >> <text>>> To: "Douglas E. Engert"</text> >> <[email protected]> >> <br /> >> <text>>> Cc:</text> >> <[email protected] /> >> <text>;</text> >> <[email protected] /> >> <br /> >> <text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text> >> <br /> >> <text>>> Subject: RE: Prob: failed to verify krb5 >> credentials: Server not</text> >> <br /> >> <text>found in Kerb</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> for sure the port number should not be in the SPN. >> I didnt even</text> >> <br /> >> <text>notice</text> >> <br /> >> <text>>> that. I was wondering if there is any principal at >> all</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> -----Original Message-----</text> >> <br /> >> <text>>> From: Douglas E. Engert >> [mailto:[email protected]]</text> >> <br /> >> <text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text> >> <br /> >> <text>>> To: Paul Moore</text> >> <br /> >> <text>>> Cc: [email protected];</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>>> Subject: Re: Prob: failed to verify krb5 >> credentials: Server not</text> >> <br /> >> <text>found</text> >> <br /> >> <text>>> in Kerb</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>></text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> Paul Moore wrote:</text> >> <br /> >> <text>>>> is there an AD account with that SPN?</text> >> <br /> >> <text>>>> HTTP/wiki.test.lan:[email protected]</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> The port number :8080 is usually not part of the >> principal name.</text> >> <br /> >> <text>>> So the browser may be looking for >> HTTP/[email protected]</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>></text> >> <br /> >> <text>>>> -----Original Message-----</text> >> <br /> >> <text>>>> From:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected] "> >> <text>[email protected]</text> >> </a> >> <text>[mailto:[email protected]] On</text> >> <br /> >> <text>>>> Behalf Of</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text> >> <br /> >> <text>>>> To:</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>>>> Subject: Prob: failed to verify krb5 credentials: >> Server not found</text> >> <br /> >> <text>in</text> >> <br /> >> <text>>>> Kerb</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> Hey guys,</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> I am short before dispairing :(</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> Maybe someone has time and likes to help me? >> :)</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> I am trying to set up kerberos to authenticate >> a</text> >> <br /> >> <text>>>> TWiki running on Unix against an Windows Server >> 2003 Active</text> >> <br /> >> <text>>> Directory...</text> >> <br /> >> <text>>>> I configured the krb5.conf like this:</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> [logging]</text> >> <br /> >> <text>>>> ...</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> [libdefaults]</text> >> <br /> >> <text>>>> default_realm = SRV.TEST.LAN</text> >> <br /> >> <text>>>> dns_lookup_realm = false</text> >> <br /> >> <text>>>> dns_lookup_kdc = false</text> >> <br /> >> <text>>>> ticket_lifetime = 24000</text> >> <br /> >> <text>>>> forwardable = yes</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> [realms]</text> >> <br /> >> <text>>>> SRV.TEST.LAN = {</text> >> <br /> >> <text>>>> kdc = location.srv.test.lan:88</text> >> <br /> >> <text>>>> admin_server = location.srv.test.lan:749</text> >> <br /> >> <text>>>> default_domain = SRV.TEST.LAN</text> >> <br /> >> <text>>>> }</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> [domain_realm]</text> >> <br /> >> <text>>>> .test.lan = SRV.TEST.LAN</text> >> <br /> >> <text>>>> test.lan = SRV.TEST.LAN</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> [appdefaults]</text> >> <br /> >> <text>>>> pam = {</text> >> <br /> >> <text>>>> debug = false</text> >> <br /> >> <text>>>> ticket_lifetime = 24000</text> >> <br /> >> <text>>>> renew_lifetime = 36000</text> >> <br /> >> <text>>>> forwardable = true</text> >> <br /> >> <text>>>> krb4_convert = false</text> >> <br /> >> <text>>>> }</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> When I use "kinit" everything works fine. With >> every valid login I</text> >> <br /> >> <text>get</text> >> <br /> >> <text>>> a</text> >> <br /> >> <text>>>> ticket...</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> Then I created the keytab file, set with a valid >> user and password</text> >> <br /> >> <text>for</text> >> <br /> >> <text>>>> the service: >> HTTP/wiki.test.lan:[email protected]</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>> Leave off the :8080</text> >> <br /> >> <text>>></text> >> <br /> >> <text>>>></text> >> <a target="_blank" href="http://wiki.test.lan:8080/bin";> >> <text>http://wiki.test.lan:8080/bin</text> >> </a> >> <text>is the url I type into the browser...</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> When I use "kinit" with the keytab and >> HTTP/wiki.test.lan:8080</text> >> <br /> >> <text>>>> everything works fine... I get a ticket...</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> Now I wanna setup the twiki to use kerberos to >> authenticate with...</text> >> <br /> >> <text>>>> The httpd.conf for the "bin" directory at</text> >> <a target="_blank" href="http://wiki.test.lan:8080/";> >> <text>http://wiki.test.lan:8080/</text> >> </a> >> <br /> >> <text>>> is</text> >> <br /> >> <text>>>> like following:</text> >> <br /> >> <text>>>> Order Deny,Allow</text> >> <br /> >> <text>>>> Allow from all</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> AuthType Kerberos</text> >> <br /> >> <text>>>> KrbAuthRealms SRV.TEST.LAN</text> >> <br /> >> <text>>>> KrbServiceName HTTP</text> >> <br /> >> <text>>>> Krb5Keytab /etc/http.keytab</text> >> <br /> >> <text>>>> KrbMethodNegotiate on</text> >> <br /> >> <text>>>> KrbMethodK5Passwd on</text> >> <br /> >> <text>>>> Require valid-user</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> When I browse to "</text> >> <a target="_blank" href="http://wiki.srv.lan:8080/bin";> >> <text>http://wiki.srv.lan:8080/bin</text> >> </a> >> <text>" the login box</text> >> <br /> >> <text>>> prompts...</text> >> <br /> >> <text>>>> I enter a valid login, but the box stays...</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> In the log it says:</text> >> <br /> >> <text>>>> failed to verify krb5 credentials: Server not >> found in Kerberos</text> >> <br /> >> <text>>> database</text> >> <br /> >> <text>>>> What is wrong? Can someone help me?! :(</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> Greets,</text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> >> ________________________________________________</text> >> <br /> >> <text>>>> Kerberos mailing list</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>>>></text> >> <a target="_blank" >> href="https://mailman.mit.edu/mailman/listinfo/kerberos";> >> >> <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text> >> </a> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>> >> ________________________________________________</text> >> <br /> >> <text>>>> Kerberos mailing list</text> >> <a href="/sites/mybox/forms/newmail.asp?sendto= >> [email protected]"> >> <text>[email protected]</text> >> </a> >> <text>>>></text> >> <a target="_blank" >> href="https://mailman.mit.edu/mailman/listinfo/kerberos";> >> >> <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text> >> </a> >> <br /> >> <text>>>></text> >> <br /> >> <text>>>></text> >> <br /> >> <text>>></text> >> <br /> >> <text>></text> >> <br /> >> <text>> --</text> >> <br /> >> <text>></text> >> <br /> >> <text>> Douglas E. Engert</text> >> <[email protected]> >> <br /> >> <text>> Argonne National Laboratory</text> >> <br /> >> <text>> 9700 South Cass Avenue</text> >> <br /> >> <text>> Argonne, Illinois 60439</text> >> <br /> >> <text>> (630) 252-5444</text> >> <br /> >> <text>></text> >> <br /> >> <br /> >> <br /> >> <br /> >> </[email protected]> >> </[email protected]> >> </[email protected]> >> </[email protected]> >> </html> >> >> >> > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
