Gssapi Error Miscellaneous Failure Server Not Found In Kerberos Database
Contents |
In Innovative Technology Services PagesSpace ShortcutsMeeting NotesHow-To ArticlesChild pagesKerberos Frequently Asked Questions (FAQ)Kerberos Troubleshooting for UnixSecure AccessBrowse client not found in kerberos database while getting initial credentials pagesConfigureSpace tools Tools Attachments (0) Page History Restrictions Page Information server not found in kerberos database linux Link to this Page… View in Hierarchy View Source Export to PDF Export to Word Favourites server not found in kerberos database (7) Pages … IT Services Kerberos Kerberos Frequently Asked Questions (FAQ) Kerberos Troubleshooting for Unix Skip to end of metadata Added by Unknown User (cquinlan), last edited
Server Not Found In Kerberos Database Active Directory
by Unknown User (cquinlan) on Oct 25, 2011 (view change) show comment hide comment Comment: Migrated to Confluence 5.3 Go to start of metadata NCSA Kerberos Troubleshooting for Unix Problems seen by users General Errors Permission denied while initializing krb5 Requesting host principal without fully-qualified domain name Telnet issues telnet: Authorization failed kinit server not found in kerberos database while getting initial credentials issues kinit: Internal file credentials cache error when initializing cache kinit: Preauthentication failed while getting initial credentials kinit: Clock skew too great in KDC reply while getting initial credentials kinit: password prompt states "Password for myloginname@example.com:", how do I get the NCSA realm? kinit: Key table entry not found while getting initial credentials kinit: Credentials cache I/O operation failed XXX when initializing cache klist issues klist: No credentials cache found rlogin issues rlogin: Bad sendauth version was sent ftp issues ftp: UNKNOWN_SERVER ftp/
Kerberos authentication fails on a JDBCclient, check the JAAS login configuration file for syntax issues. If syntax is incorrect, authentication fails. Working Domain Name Service (DNS) Not Configured Verify that the DNS entries and hosts on client not found in kerberos database linux the network are all properly configured for your environment. Refer to the Kerberos
Preauthentication Failed While Getting Initial Credentials
documentation for your platform for details. System Clocks Out of Sync System clocks in your network must remain in sync
Server Not Found In Kerberos Database (7) - Unknown_server
for Kerberos authentication to work properly. To do so: Install NTP on the Kerberos server (KDC). Install NTP on each server in your network. Synchronize system clocks on all machines that participate in https://wiki.ncsa.illinois.edu/display/ITS/Kerberos+Troubleshooting+for+Unix the Kerberos realm within a few minutes of the KDC and each other Clock skew can be problematic on Linux virtual machines that need to sync with the Windows Time Service. Try the following to keep time in sync: Using any text editor, open /etc/ntp.conf. Under the Undisciplined Local Clock section, add the IP address for the Vertica Analytic Database server. Then, remove existing server entries. https://my.vertica.com/docs/7.1.x/HTML/Content/Authoring/AdministratorsGuide/Security/ClientAuth/Kerberos/TroubleshootingKerberosAuthentication.htm Log in to the server as root, and set up a cron job to sync time with the added IP address every half hour, or as often as needed. For example: # 0 */2 * * * /etc/init.d/ntpd restart Alternatively, run the following command to force clock sync immediately: $ sudo /etc/init.d/ntpd restart For more information, see Set Up Time Synchronization in the Installation Guide and the Network Time Protocol website. Kerberos Ticket Is Valid but Hadoop Access Fails HP Vertica uses Kerberos tickets to obtain Hadoop tokens. It then uses the Hadoop tokens to access the Hadoop data. Hadoop tokens expire after a period of time, so HP Vertica periodically refreshes them. However, if your Hadoop cluster is set to expire tokens frequently, it is possible that tokens might not be refreshed in time. If the token expires, you cannot access data. Setting the HadoopFSTokenRefreshFrequency configuration parameter allows you to specify how often HP Vertica should refresh the token. Specify this value, in seconds, to be smaller than the expiration period set for Hadoop. For example: => ALTERDATABASE exampledb SET HadoopFSTokenRefreshFrequency = '86400'; Encryption Algorithm Choices Kerberos is based on symmetric encryption. Be sure
Following up on the previous post, here's how we get sssd to actually provide access to our Samba-driven Active Directory. I started with the instructions in the Samba wiki but these actually go http://www.0xf8.org/2014/01/configuring-sssds-active-directory-provider/ beyond the minimum that is necessary. Let me also add some context to the individual components and settings involved. How sssd's components work together sssd is quite modular: if you read the sssd.conf http://mah.everybody.org/docs/sasl-gssapi/ man page, you'll learn about services and domains. You will also learn about different providers such as the already mentioned Active Directory provider that we are going to use. Do not be not found fooled however: providers are not mutually-exclusive. For example, our Active Directory provider works together with the LDAP and the Kerberos providers as shown here: Individual sssd components working together As a consequence, we'll have to consider not only sssd-ad configuration directives but also some of those of sssd-ldap and sssd-krb5. And, because sssd-krb5 uses the Kerberos library we'll also have to consider /etc/krb5.conf. Configuration explained Without not found in further ado, here's an example for a minimal /etc/sssd.conf that takes advantage of autodiscovery:
[sssd]
config_file_version=2
services=nss, pam
domains=ad.mydomain.foo.bar
[domain/ad.mydomain.foo.bar]
id_provider=ad
access_provider=ad
dyndns_update=false
enumerate=true
ldap_id_mapping=true
krb5_realm=AD.MYDOMAIN.FOO.BAR
krb5_keytab=/etc/sssd/ad.mydomain.foo.bar.keytab
Setting id_provider and access_provider activates sssd-ad as identity provider (ie. the source for user and group information) and access provider (eg. checks if a user is allowed access). However it also activates it as authentication provider (ie. checks passwords) and chpass provider (ie. changes passwords), because id_provider‘s value is a default for auth_provider, which in turn is the default for chpass_provider. We do not specify ad_domain because the default is to use the configuration section's name (minus the "domain/" part, of course). We do not specify ad_server either because Samba's DNS server has automagically set up SRV records for us that sssd-ad/ can use for service discovery. I disabled dyndns_update for now because it gave me problems. Setting enumerate to true is debatable and recommended for small setups only, but you might want it for playing around with nested groups and see how they work. The default is false. There's no need to specify any o
authentication using SASL. Although a lot of good information is there, it wasn't explicit enough for me. Evidently, he didn't anticipate that some of us dolts would try this without having already been Kerberos administrators for a while. This document is an attempt to hold the hand of an administrator who hasn't had experience with either Kerberos or SASL, but knows that he wants to use both for authentication through the GSSAPI authentication protocol under SASL. Much of it repeats other documentation that you should have already read but skipped because you wanted to get this done now. Go read that documentation now. More information and more hand-holding can be found in Turbo Fredriksson's wonderful HOWTO on the subject. Like him, I'm using Debian Linux. However, the testing distribution seems to have some features that were lacking in the distribution that Turbo was using. Base Configuration If you want to get going quickly using Debian, just run through this configuration document. Kerberos Setup This is the part a lot of you are probably missing. I know I was. Set up DNS records. See the administration guide for this or Turbo's page. Execute krb5_newrealm (a debian command) Type in password twice -- remember it or write it somewhere secure. kadmin principals are automatically created. kerberos servers are automatically started Execute kadmin.local. listprincs shows created principals ank -randkey ldap/your fully qualified domain name We need these keys for SASL authentication. We'll also use them in the next step when we test SASL auth. ktadd ldap/FQDN This command puts the key in the /etc/krb5.keytab file so that your servers can use it to authenticate themselves. "FQDN" is the host's fully qualified domain name. "ldap" must match the service name that you wish to use kerberos authentication. Usually, you won't have keytab files on the same machine as the kerberos server, so you have to use the command ktadd -k filename principal and then securely copy the file from filename to whichever host has runs the service. ank username You need a username to authenticate. Running the Sample SASL Server You'll have to compile this yourself. If you are inexperienced with sasl or kerberos or both, I really recommend you go through this as it will help you diagnose where your problem is. The testing process is simple but cumbersome. Open two windows and get ready to cut-n-paste between them. Type kinit username to authenticate yourself to kerberos first. In the first one, type ./sample-server -s ldap In the second one, type ./sample-server -s ldap -n FDQN -u username Cut the line that starts