> Who owns /etc/http.keytab? Apache needs access to the file. The apache has access to the keytab. I also put the keytab directly into the twiki web directory itself. Made no change...
> Does hostname on the unix system show the FQDN: wiki.test.lan? I did a nslookup on the unix system and it showed me the server as wiki.test.lan. I thought this would be enough on finding out the FQDN... Am I wrong with that? > How did you create this account, and why do you think the key and kvno in the > keytab matche what is in AD? I created the account on the AD manually... Then I created the keytab file by using ktpass with the SPN, the username, the password and some other things for the encryption. I can give you the complete exact information tomorrow... > As Paul said: Wireshark. It can parse Kerberos packets. Okay, I got some experience with wireshark, just did not think about it... Ill try it out :) > there needs to be a principal (user or computer) in AD with a Service > Principal Name equal to http/wiki.test.len > > this gets created for a windows machine when the machine joins > > you seem to be doing this by hand. So you must use setspn (addspn? I > forget) to add an SPN to the user or machine account for which you have > created the keytab. Or adsiedit will do it > > shameless commercial plug: you could always use a commercial solution > such as Centrify DirectControl , it will do the right thing > automatically for you Mh... I dont know if I get you right... Currently the users name at the AD, thats also in the keytab file, is TWikiUser. So I have to change its username to http/wiki.test.lan? Greets, ----- Original Message ----- From: "Douglas E. Engert" <deeng...@anl.gov> To: <slainde...@kabelmail.de> Cc: <paul.mo...@centrify.com>; <kerberos@mit.edu> Sent: Wednesday, February 04, 2009 12:07 AM Subject: Re: Prob: failed to verify krb5 credentials: Server not found in=20 > Two more things: > Who owns /etc/http.keytab? Apache needs access to the file. > > Does hostname on the unix system show the FQDN: wiki.test.lan? > > > > slainde...@kabelmail.de wrote: >> First of all, thanks for your answers and interest. >> >> I already tried it without the port, because I realized, short after I sent >> my first mail, that the port is really not part of the name. >> >> So I recreated the keytab file with HTTP/wiki.test....@srv.test.lan. >> Kinit still works, but the "Server not in kerberos database" problem still >> remains. >> >> @Paul Moore: What do you mean, with "an AD account with that SPN"? Could you >> be just a little more specific? Its late over here in germany ;) >> >> I had created an extra user and password at the AD. This login is saved >> inside of the keytab together with the SPN: HTTP/wiki.test....@srv.test.lan >> >> BTW: Is there a way, to find out, what adress the server is looking for? >> >> Greets, >> >> >> ----- Original Message ----- >> From: "Paul Moore" <paul.mo...@centrify.com> >> To: "Douglas E. Engert" <deeng...@anl.gov> >> Cc: <slainde...@kabelmail.de>; <kerberos@mit.edu> >> Sent: Tuesday, February 03, 2009 11:14 PM >> Subject: RE: Prob: failed to verify krb5 credentials: Server not found in >> Kerb >> >> >> for sure the port number should not be in the SPN. I didnt even notice >> that. I was wondering if there is any principal at all >> >> -----Original Message----- >> From: Douglas E. Engert [mailto:deeng...@anl.gov] >> Sent: Tuesday, February 03, 2009 2:13 PM >> To: Paul Moore >> Cc: slainde...@kabelmail.de; kerberos@mit.edu >> Subject: Re: Prob: failed to verify krb5 credentials: Server not found >> in Kerb >> >> >> >> Paul Moore wrote: >>> is there an AD account with that SPN? >>> HTTP/wiki.test.lan:8...@srv.test.lan >> >> The port number :8080 is usually not part of the principal name. >> So the browser may be looking for HTTP/wiki.test....@srv.test.lan >> >> >>> -----Original Message----- >>> From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On >>> Behalf Of slainde...@kabelmail.de >>> Sent: Tuesday, February 03, 2009 6:28 AM >>> To: kerberos@mit.edu >>> Subject: Prob: failed to verify krb5 credentials: Server not found in >>> Kerb >>> >>> Hey guys, >>> >>> I am short before dispairing :( >>> >>> Maybe someone has time and likes to help me? :) >>> >>> I am trying to set up kerberos to authenticate a >>> TWiki running on Unix against an Windows Server 2003 Active >> Directory... >>> I configured the krb5.conf like this: >>> >>> [logging] >>> ... >>> >>> [libdefaults] >>> default_realm = SRV.TEST.LAN >>> dns_lookup_realm = false >>> dns_lookup_kdc = false >>> ticket_lifetime = 24000 >>> forwardable = yes >>> >>> [realms] >>> SRV.TEST.LAN = { >>> kdc = location.srv.test.lan:88 >>> admin_server = location.srv.test.lan:749 >>> default_domain = SRV.TEST.LAN >>> } >>> >>> [domain_realm] >>> .test.lan = SRV.TEST.LAN >>> test.lan = SRV.TEST.LAN >>> >>> [appdefaults] >>> pam = { >>> debug = false >>> ticket_lifetime = 24000 >>> renew_lifetime = 36000 >>> forwardable = true >>> krb4_convert = false >>> } >>> >>> When I use "kinit" everything works fine. With every valid login I get >> a >>> ticket... >>> >>> >>> Then I created the keytab file, set with a valid user and password for >>> the service: HTTP/wiki.test.lan:8...@srv.test.lan >> >> Leave off the :8080 >> >>> http://wiki.test.lan:8080/bin is the url I type into the browser... >>> >>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080 >>> everything works fine... I get a ticket... >>> >>> Now I wanna setup the twiki to use kerberos to authenticate with... >>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/ >> is >>> like following: >>> Order Deny,Allow >>> Allow from all >>> >>> AuthType Kerberos >>> KrbAuthRealms SRV.TEST.LAN >>> KrbServiceName HTTP >>> Krb5Keytab /etc/http.keytab >>> KrbMethodNegotiate on >>> KrbMethodK5Passwd on >>> Require valid-user >>> >>> When I browse to "http://wiki.srv.lan:8080/bin" the login box >> prompts... >>> I enter a valid login, but the box stays... >>> >>> In the log it says: >>> failed to verify krb5 credentials: Server not found in Kerberos >> database >>> What is wrong? Can someone help me?! :( >>> >>> Greets, >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos