Now I have found the reason. The /etc/hosts file somehow messed up gssapi. The DNS name of the machine which gss-server is running on is "gcnode029.ca", and the same time, this machine is also called "gcnode029" in the /etc/hosts file. So when I tried to create a client in kdc called test/[EMAIL PROTECTED], surely I should run the gss-server using cmd: [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 test/gcnode029.ca But the host name gcnode029.ca somehow caused a error: GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information GSS-API error acquiring credentials: No principal in keytab matches desired name
But if I create a test/[EMAIL PROTECTED], and run gss-server using cmd: [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 test/gcnode029 Now everything runs perfectly. I don't know the exactly reason for those above. Maybe the name defined in /etc/host and the DNS name are mixed together somehow. I searched a lot using google, and found that many people met the same problem as mine. Hope the method above would help. ----- Original Message ----- From: "lizhong" <[EMAIL PROTECTED]> To: "Michael B Allen" <[EMAIL PROTECTED]> Cc: <kerberos@mit.edu> Sent: Tuesday, August 22, 2006 10:27 AM Subject: Re: gss-server error > In the manual by Jim Rome, "How to Kerberize your site > "(http://www.ornl.gov/~jar/HowToKerb.html#Configure), all examples are in > lowercare. > So I think there might be a DNS issue, or I used the parameters of the > gss-server improperly. > > The server's command line usage is > > gss-server [-port port] [-verbose] [-once] [-inetd] [-export] > [-logfile file] service_name > > where service_name is a GSS-API service name of the form"[EMAIL PROTECTED]" > (or just "service", in which case the local host name is used). > > Now I have 2 machines, the KDC server is called A, and the application server > is called B. The gss-server in on the machine B.The keytab file has been > generated on the machine B: > [EMAIL PROTECTED] gss-sample]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 6 test/[EMAIL PROTECTED] > > When I try to run gss-server using the command:"./gss-server -port 8888 -once > test/[EMAIL PROTECTED]", output: > [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -once test/[EMAIL > PROTECTED] > GSS-API error acquiring credentials: An invalid name was supplied > GSS-API error acquiring credentials: Hostname cannot be canonicalized > > When I try to run gss-server using the command:"./gss-server -port 8888 -once > test/admin", output: > [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -once test/admin > GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may > provide more information > GSS-API error acquiring credentials: No principal in keytab matches desired > name > > When I try to run gss-server using the command:"./gss-server -port 8888 -once > test", output: > [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -once test > GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may > provide more information > GSS-API error acquiring credentials: No principal in keytab matches desired > name > > In fact I don't know exactly what the service-name should be like. Is the > errors above coursed by DNS problem?or by keytab file? > > > ----- Original Message ----- > From: "Michael B Allen" <[EMAIL PROTECTED]> > To: "lizhong" <[EMAIL PROTECTED]> > Cc: <kerberos@mit.edu> > Sent: Monday, August 21, 2006 10:29 PM > Subject: Re: gss-server error > > >>A Kerberos realm is always in uppercase [1]. If you did *everything* >> with a lowercase realm name I suspect things might work but perhaps not. >> >> Or, based on the second error, perhaps there is a DNS issue? >> >> Mike >> >> [1] The realm is effectively the DNS domain in uppercase and therefore >> it is not uncommon to see lowercase names (e.g. DNS oriented software). >> >> On Mon, 21 Aug 2006 17:00:03 +0800 >> "lizhong" <[EMAIL PROTECTED]> wrote: >> >>> I'm trying to test with gss-client and gss-server but am unsuccessful in >>> getting it to work. >>> >>> I have setup a MIT Realm called test.com and added a client named >>> test/[EMAIL PROTECTED] >>> I am able to kinit and get a ticket from the KDC. >>> >>> [EMAIL PROTECTED] gss-sample]# kinit >>> Password for test/[EMAIL PROTECTED]: >>> kinit(v5): Password incorrect while getting initial credentials >>> [EMAIL PROTECTED] gss-sample]# klist >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: test/[EMAIL PROTECTED] >>> >>> Valid starting Expires Service principal >>> 08/21/06 15:45:15 08/22/06 15:45:15 krbtgt/[EMAIL PROTECTED] >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt0 >>> klist: You have no tickets cached >>> [EMAIL PROTECTED] gss-sample]# >>> >>> But if I run "gss-server -port 8888 -verbose -once test/[EMAIL PROTECTED]", >>> I met the following error: >>> >>> [EMAIL PROTECTED] gss-sample]# ./gss-server -port 8888 -verbose -once >>> test/[EMAIL PROTECTED] >>> GSS-API error acquiring credentials: An invalid name was supplied >>> GSS-API error acquiring credentials: Hostname cannot be canonicalized >>> >>> I guess I used the service name in an improper way. So what service name >>> should I use? Thank you for any help! >>> >>> >>> >> >> >> -- >> Michael B Allen >> PHP Active Directory SSO >> http://www.ioplex.com/ >> >> > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos