Okay... I used "tcpdump -s 65535 -w out.dump" to generate a dump of the network
traffic and loaded it into Wireshark with the kerberos filter on...
I get the following:
The ticket:
Client Realm: SRV.TEST.LAN
Client Name (Principal): SlainDevil
Tkt-vno: 5
Realm: SRV.TEST.LAN
Server Name (Unknown): krbtgt/SRV.TEST.LAN
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-md5 (3)
And then the error message:
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: SRV.TEST.LAN
Server Name (Service and Host): HTTP/wiki
I guess the last point is the mistake, isnt it? It should be HTTP/wiki.test.lan?
Anyone got a clue how to fix that? Currently I got no idea why this happens...
:(
-------- Kabel E-Mail Reply ---------------
From: paul.mo...@centrify.com
To : slainde...@kabelmail.de;deeng...@anl.gov
Date: 04.02.2009 01:35:12
<html>
<text>So does that user have the correct spn. Adsiedit will tell you</text>
<br />
<br />
<text>----- Original Message -----</text>
<br />
<text>From:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto= slainde...@kabelmail.de ">
<text>slainde...@kabelmail.de</text>
</a>
<slainde...@kabelmail.de />
<br />
<text>To: Paul Moore;</text>
<a href="/sites/mybox/forms/newmail.asp?sendto= deeng...@anl.gov ">
<text>deeng...@anl.gov</text>
</a>
<deeng...@anl.gov>
<br />
<text>Cc:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto= kerberos@mit.edu ">
<text>kerberos@mit.edu</text>
</a>
<kerberos@mit.edu />
<br />
<text>Sent: Tue Feb 03 16:57:02 2009</text>
<br />
<text>Subject: Re: RE: Prob: failed to verify krb5 credentials: Server
not</text>
<br />
<br />
<text>Yeah, I got several accounts.</text>
<br />
<br />
<text>The one for the application. Its name is TWikiUser. This name and
its password is in the keytab file for the authentication via Kerberos. The
authentication via the keytab file works. I tried it with "kinit -k -t
/etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and
encryption type were allright.</text>
<br />
<br />
<text>Every user shall login with its already existing AD accounts.
These are the logins, which I try to enter in the login prompt when I
visit</text>
<a target="_blank" href="http://wiki.test.lan:8080";>
<text>http://wiki.test.lan:8080</text>
</a>
<text>.</text>
<br />
<br />
<br />
<br />
<text>-------- Kabel E-Mail Reply ---------------</text>
<br />
<text>From:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
paul.mo...@centrify.com">
<text>paul.mo...@centrify.com</text>
</a>
<text>To : slainde...@kabelmail.de;deeng...@anl.gov</text>
<br />
<text>Date: 04.02.2009 00:29:27</text>
<br />
<br />
<text>there are 2 user accounts</text>
<br />
<br />
<text>a) one for the application</text>
<br />
<text>b) one (or more) for the user you are logging on with</text>
<br />
<br />
<text>user (a) must have an SPD of http/wiki.test.lan , the actual upn
does</text>
<br />
<text>not matter wikiwebserver will do nicely</text>
<br />
<text>user (b) is just a regular use</text>
<br />
<br />
<br />
<br />
<br />
<text>-----Original Message-----</text>
<br />
<text>From:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto= slainde...@kabelmail.de
">
<text>slainde...@kabelmail.de</text>
</a>
<text>[mailto:slainde...@kabelmail.de]</text>
<br />
<text>Sent: Tuesday, February 03, 2009 4:21 PM</text>
<br />
<text>To:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto= deeng...@anl.gov">
<text>deeng...@anl.gov</text>
</a>
<text>Cc: Paul Moore;</text>
<a href="/sites/mybox/forms/newmail.asp?sendto= kerberos@mit.edu">
<text>kerberos@mit.edu</text>
</a>
<text>Subject: Re: Prob: failed to verify krb5 credentials: Server not
in=</text>
<br />
<br />
<text>> Who owns /etc/http.keytab? Apache needs access to the
file.</text>
<br />
<br />
<text>The apache has access to the keytab. I also put the keytab
directly into</text>
<br />
<text>the twiki web directory itself. Made no change...</text>
<br />
<br />
<text>> Does hostname on the unix system show the FQDN:
wiki.test.lan?</text>
<br />
<br />
<text>I did a nslookup on the unix system and it showed me the server
as</text>
<br />
<text>wiki.test.lan.</text>
<br />
<text>I thought this would be enough on finding out the FQDN... Am I
wrong</text>
<br />
<text>with that?</text>
<br />
<br />
<text>> How did you create this account, and why do you think the key
and kvno</text>
<br />
<text>in the</text>
<br />
<text>> keytab matche what is in AD?</text>
<br />
<br />
<text>I created the account on the AD manually... Then I created the
keytab</text>
<br />
<text>file by using ktpass with the SPN, the username, the password and
some</text>
<br />
<text>other things for the encryption. I can give you the complete
exact</text>
<br />
<text>information tomorrow...</text>
<br />
<br />
<text>> As Paul said: Wireshark. It can parse Kerberos packets.</text>
<br />
<br />
<text>Okay, I got some experience with wireshark, just did not think
about</text>
<br />
<text>it...</text>
<br />
<text>Ill try it out :)</text>
<br />
<br />
<text>> there needs to be a principal (user or computer) in AD with a
Service</text>
<br />
<text>> Principal Name equal to http/wiki.test.len</text>
<br />
<text>></text>
<br />
<text>> this gets created for a windows machine when the machine
joins</text>
<br />
<text>></text>
<br />
<text>> you seem to be doing this by hand. So you must use setspn
(addspn? I</text>
<br />
<text>> forget) to add an SPN to the user or machine account for which
you</text>
<br />
<text>have</text>
<br />
<text>> created the keytab. Or adsiedit will do it</text>
<br />
<text>></text>
<br />
<text>> shameless commercial plug: you could always use a commercial
solution</text>
<br />
<text>> such as Centrify DirectControl , it will do the right
thing</text>
<br />
<text>> automatically for you</text>
<br />
<br />
<text>Mh... I dont know if I get you right... Currently the users name
at the</text>
<br />
<text>AD, thats also in the keytab file, is TWikiUser. So I have to
change its</text>
<br />
<text>username to http/wiki.test.lan?</text>
<br />
<br />
<text>Greets,</text>
<br />
<br />
<br />
<text>----- Original Message -----</text>
<br />
<text>From: "Douglas E. Engert"</text>
<deeng...@anl.gov>
<br />
<text>To:</text>
<slainde...@kabelmail.de />
<br />
<text>Cc:</text>
<paul.mo...@centrify.com />
<text>;</text>
<kerberos@mit.edu />
<br />
<text>Sent: Wednesday, February 04, 2009 12:07 AM</text>
<br />
<text>Subject: Re: Prob: failed to verify krb5 credentials: Server
not found</text>
<br />
<text>in=20</text>
<br />
<br />
<br />
<text>> Two more things:</text>
<br />
<text>> Who owns /etc/http.keytab? Apache needs access to the
file.</text>
<br />
<text>></text>
<br />
<text>> Does hostname on the unix system show the FQDN:
wiki.test.lan?</text>
<br />
<text>></text>
<br />
<text>></text>
<br />
<text>></text>
<br />
<text>></text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
slainde...@kabelmail.de ">
<text>slainde...@kabelmail.de</text>
</a>
<text>wrote:</text>
<br />
<text>>> First of all, thanks for your answers and interest.</text>
<br />
<text>>></text>
<br />
<text>>> I already tried it without the port, because I realized,
short after</text>
<br />
<text>I sent my first mail, that the port is really not part of the
name.</text>
<br />
<text>>></text>
<br />
<text>>> So I recreated the keytab file with
HTTP/wiki.test....@srv.test.lan.</text>
<br />
<text>>> Kinit still works, but the "Server not in kerberos
database" problem</text>
<br />
<text>still remains.</text>
<br />
<text>>></text>
<br />
<text>>> @Paul Moore: What do you mean, with "an AD account with
that SPN"?</text>
<br />
<text>Could you be just a little more specific? Its late over here
in germany</text>
<br />
<text>;)</text>
<br />
<text>>></text>
<br />
<text>>> I had created an extra user and password at the AD. This
login is</text>
<br />
<text>saved inside of the keytab together with the SPN:</text>
<br />
<text>HTTP/wiki.test....@srv.test.lan</text>
<br />
<text>>></text>
<br />
<text>>> BTW: Is there a way, to find out, what adress the server
is looking</text>
<br />
<text>for?</text>
<br />
<text>>></text>
<br />
<text>>> Greets,</text>
<br />
<text>>></text>
<br />
<text>>></text>
<br />
<text>>> ----- Original Message -----</text>
<br />
<text>>> From: "Paul Moore"</text>
<paul.mo...@centrify.com />
<br />
<text>>> To: "Douglas E. Engert"</text>
<deeng...@anl.gov>
<br />
<text>>> Cc:</text>
<slainde...@kabelmail.de />
<text>;</text>
<kerberos@mit.edu />
<br />
<text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text>
<br />
<text>>> Subject: RE: Prob: failed to verify krb5 credentials:
Server not</text>
<br />
<text>found in Kerb</text>
<br />
<text>>></text>
<br />
<text>>></text>
<br />
<text>>> for sure the port number should not be in the SPN. I
didnt even</text>
<br />
<text>notice</text>
<br />
<text>>> that. I was wondering if there is any principal at
all</text>
<br />
<text>>></text>
<br />
<text>>> -----Original Message-----</text>
<br />
<text>>> From: Douglas E. Engert
[mailto:deeng...@anl.gov]</text>
<br />
<text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text>
<br />
<text>>> To: Paul Moore</text>
<br />
<text>>> Cc: slainde...@kabelmail.de;</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
kerberos@mit.edu">
<text>kerberos@mit.edu</text>
</a>
<text>>> Subject: Re: Prob: failed to verify krb5 credentials:
Server not</text>
<br />
<text>found</text>
<br />
<text>>> in Kerb</text>
<br />
<text>>></text>
<br />
<text>>></text>
<br />
<text>>></text>
<br />
<text>>> Paul Moore wrote:</text>
<br />
<text>>>> is there an AD account with that SPN?</text>
<br />
<text>>>> HTTP/wiki.test.lan:8...@srv.test.lan</text>
<br />
<text>>></text>
<br />
<text>>> The port number :8080 is usually not part of the
principal name.</text>
<br />
<text>>> So the browser may be looking for
HTTP/wiki.test....@srv.test.lan</text>
<br />
<text>>></text>
<br />
<text>>></text>
<br />
<text>>>> -----Original Message-----</text>
<br />
<text>>>> From:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
kerberos-boun...@mit.edu ">
<text>kerberos-boun...@mit.edu</text>
</a>
<text>[mailto:kerberos-boun...@mit.edu] On</text>
<br />
<text>>>> Behalf Of</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
slainde...@kabelmail.de">
<text>slainde...@kabelmail.de</text>
</a>
<text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text>
<br />
<text>>>> To:</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
kerberos@mit.edu">
<text>kerberos@mit.edu</text>
</a>
<text>>>> Subject: Prob: failed to verify krb5 credentials:
Server not found</text>
<br />
<text>in</text>
<br />
<text>>>> Kerb</text>
<br />
<text>>>></text>
<br />
<text>>>> Hey guys,</text>
<br />
<text>>>></text>
<br />
<text>>>> I am short before dispairing :(</text>
<br />
<text>>>></text>
<br />
<text>>>> Maybe someone has time and likes to help me? :)</text>
<br />
<text>>>></text>
<br />
<text>>>> I am trying to set up kerberos to authenticate
a</text>
<br />
<text>>>> TWiki running on Unix against an Windows Server 2003
Active</text>
<br />
<text>>> Directory...</text>
<br />
<text>>>> I configured the krb5.conf like this:</text>
<br />
<text>>>></text>
<br />
<text>>>> [logging]</text>
<br />
<text>>>> ...</text>
<br />
<text>>>></text>
<br />
<text>>>> [libdefaults]</text>
<br />
<text>>>> default_realm = SRV.TEST.LAN</text>
<br />
<text>>>> dns_lookup_realm = false</text>
<br />
<text>>>> dns_lookup_kdc = false</text>
<br />
<text>>>> ticket_lifetime = 24000</text>
<br />
<text>>>> forwardable = yes</text>
<br />
<text>>>></text>
<br />
<text>>>> [realms]</text>
<br />
<text>>>> SRV.TEST.LAN = {</text>
<br />
<text>>>> kdc = location.srv.test.lan:88</text>
<br />
<text>>>> admin_server = location.srv.test.lan:749</text>
<br />
<text>>>> default_domain = SRV.TEST.LAN</text>
<br />
<text>>>> }</text>
<br />
<text>>>></text>
<br />
<text>>>> [domain_realm]</text>
<br />
<text>>>> .test.lan = SRV.TEST.LAN</text>
<br />
<text>>>> test.lan = SRV.TEST.LAN</text>
<br />
<text>>>></text>
<br />
<text>>>> [appdefaults]</text>
<br />
<text>>>> pam = {</text>
<br />
<text>>>> debug = false</text>
<br />
<text>>>> ticket_lifetime = 24000</text>
<br />
<text>>>> renew_lifetime = 36000</text>
<br />
<text>>>> forwardable = true</text>
<br />
<text>>>> krb4_convert = false</text>
<br />
<text>>>> }</text>
<br />
<text>>>></text>
<br />
<text>>>> When I use "kinit" everything works fine. With every
valid login I</text>
<br />
<text>get</text>
<br />
<text>>> a</text>
<br />
<text>>>> ticket...</text>
<br />
<text>>>></text>
<br />
<text>>>></text>
<br />
<text>>>> Then I created the keytab file, set with a valid user
and password</text>
<br />
<text>for</text>
<br />
<text>>>> the service:
HTTP/wiki.test.lan:8...@srv.test.lan</text>
<br />
<text>>></text>
<br />
<text>>> Leave off the :8080</text>
<br />
<text>>></text>
<br />
<text>>>></text>
<a target="_blank" href="http://wiki.test.lan:8080/bin";>
<text>http://wiki.test.lan:8080/bin</text>
</a>
<text>is the url I type into the browser...</text>
<br />
<text>>>></text>
<br />
<text>>>> When I use "kinit" with the keytab and
HTTP/wiki.test.lan:8080</text>
<br />
<text>>>> everything works fine... I get a ticket...</text>
<br />
<text>>>></text>
<br />
<text>>>> Now I wanna setup the twiki to use kerberos to
authenticate with...</text>
<br />
<text>>>> The httpd.conf for the "bin" directory at</text>
<a target="_blank" href="http://wiki.test.lan:8080/";>
<text>http://wiki.test.lan:8080/</text>
</a>
<br />
<text>>> is</text>
<br />
<text>>>> like following:</text>
<br />
<text>>>> Order Deny,Allow</text>
<br />
<text>>>> Allow from all</text>
<br />
<text>>>></text>
<br />
<text>>>> AuthType Kerberos</text>
<br />
<text>>>> KrbAuthRealms SRV.TEST.LAN</text>
<br />
<text>>>> KrbServiceName HTTP</text>
<br />
<text>>>> Krb5Keytab /etc/http.keytab</text>
<br />
<text>>>> KrbMethodNegotiate on</text>
<br />
<text>>>> KrbMethodK5Passwd on</text>
<br />
<text>>>> Require valid-user</text>
<br />
<text>>>></text>
<br />
<text>>>> When I browse to "</text>
<a target="_blank" href="http://wiki.srv.lan:8080/bin";>
<text>http://wiki.srv.lan:8080/bin</text>
</a>
<text>" the login box</text>
<br />
<text>>> prompts...</text>
<br />
<text>>>> I enter a valid login, but the box stays...</text>
<br />
<text>>>></text>
<br />
<text>>>> In the log it says:</text>
<br />
<text>>>> failed to verify krb5 credentials: Server not found
in Kerberos</text>
<br />
<text>>> database</text>
<br />
<text>>>> What is wrong? Can someone help me?! :(</text>
<br />
<text>>>></text>
<br />
<text>>>> Greets,</text>
<br />
<text>>>></text>
<br />
<text>>>></text>
<br />
<text>>>>
________________________________________________</text>
<br />
<text>>>> Kerberos mailing list</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
Kerberos@mit.edu">
<text>Kerberos@mit.edu</text>
</a>
<text>>>></text>
<a target="_blank"
href="https://mailman.mit.edu/mailman/listinfo/kerberos";>
<text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
</a>
<br />
<text>>>></text>
<br />
<text>>>>
________________________________________________</text>
<br />
<text>>>> Kerberos mailing list</text>
<a href="/sites/mybox/forms/newmail.asp?sendto=
Kerberos@mit.edu">
<text>Kerberos@mit.edu</text>
</a>
<text>>>></text>
<a target="_blank"
href="https://mailman.mit.edu/mailman/listinfo/kerberos";>
<text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
</a>
<br />
<text>>>></text>
<br />
<text>>>></text>
<br />
<text>>></text>
<br />
<text>></text>
<br />
<text>> --</text>
<br />
<text>></text>
<br />
<text>> Douglas E. Engert</text>
<deeng...@anl.gov>
<br />
<text>> Argonne National Laboratory</text>
<br />
<text>> 9700 South Cass Avenue</text>
<br />
<text>> Argonne, Illinois 60439</text>
<br />
<text>> (630) 252-5444</text>
<br />
<text>></text>
<br />
<br />
<br />
<br />
</deeng...@anl.gov>
</deeng...@anl.gov>
</deeng...@anl.gov>
</deeng...@anl.gov>
</html>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
