ldap/localhost@MYSERVER.COM, Server not found in Kerberos

Question

ldap/localhost@MYSERVER.COM, Server not found in Kerberos

How is this errormessage to be understand?<Aug 18 11:28:18 server.wdn.com krb5kdc[118](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.7: UNKNOWN_SERVER: authtime 1124357298, diradmin@SERVER.WDN.COM for ldap/localhost@SERVER.WDN.COM, Server not found in Kerberos database>
It seems that the ldap directory cant't be found in the Kerberos Realm. But Kerberos is up and running. The Error Message gets generated whenever i open Workgroupmanager and Login to the LDAP Directory.

Can anybody shed some Light on this one?

Posted on Aug 18, 2005 9:11 AM

Reply

Answer 1

Aug 18, 2005 2:06 PM in response to Thomas Walser

For some reason the client is getting the incorrect name for the ldap principal when it is tying to bind o the directory, it should be (assuming that server.wdn.com is the OD Master) ldap/server.wdn.com@SERVER.WDN.COM. this may be due to a problem with the hostname being set improperly during boot. What does the default prompt in the terminal say?

HTH
- Leland

Reply

Answer 2

Aug 19, 2005 12:55 AM in response to Leland Wallace

It seems that the hostname is set properly. This is what the prompt in the terminal says:
<Last login: Thu Aug 18 17:23:11 on console
Welcome to Darwin!
server:~ diradmin$ hostname
server.wdn.com
server:~ diradmin$>

What is strange is that Kerberostickets get handed over to the client but Kerberos does'nt work right (if authentification in AFP ist set to Kerberos only login to the OD Master Server (Homesharepoints) is possible but no access to the individual Documents-Folder.

Reply

Answer 3

Aug 19, 2005 1:32 AM in response to Leland Wallace

When login (with the Workgroupmanager) to the OD Masterserver from a client the kdc Protokoll reads the following:

<Aug 19 08:34:26 server.wdn.com krb5kdc[123](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.21: NEEDED_PREAUTH: wdn_1@SERVER.WDN.COM for krbtgt/SERVER.WDN.COM@SERVER.WDN.COM, Additional pre-authentication required
Aug 19 08:34:26 server.wdn.com krb5kdc[123](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.3.21: ISSUE: authtime 1124433266, etypes {rep=16 tkt=16 ses=16}, wdn_1@SERVER.WDN.COM for krbtgt/SERVER.WDN.COM@SERVER.WDN.COM
Aug 19 09:18:50 server.wdn.com krb5kdc[123](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.7: NEEDED_PREAUTH: wdn_1@SERVER.WDN.COM for krbtgt/SERVER.WDN.COM@SERVER.WDN.COM, Additional pre-authentication required
Aug 19 09:18:50 server.wdn.com krb5kdc[123](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.7: ISSUE: authtime 1124435930, etypes {rep=16 tkt=16 ses=16}, wdn_1@SERVER.WDN.COM for krbtgt/SERVER.WDN.COM@SERVER.WDN.COM
Aug 19 09:18:50 server.wdn.com krb5kdc[123](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.7: UNKNOWN_SERVER: authtime 1124435930, wdn_1@SERVER.WDN.COM for ldap/server.wdn.com@SERVER.WDN.COM, Server not found in Kerberos database>

It looks like the client is getting the right name for the ldap principal - "ldap/server.wdn.com@SERVER.WDN.COM"

thomas

Reply

Answer 4

Aug 23, 2005 4:15 PM in response to Thomas Walser

If you go to the OD master, login as an admin and issue
kadmin.local -q listprincs

do you see the ldap principal?

- Leland

Reply

Answer 5

Aug 24, 2005 2:15 AM in response to Leland Wallace

Hello Leland, thank you for your help.
No, i can not see the ldap principal. Below's the terminaltext for "-q listprincs" for admin, diradmin & root.

greetings from switzerland, thomas

--

Last login: Wed Aug 24 09:25:53 on ttyp1
Welcome to Darwin!
server:~ diradmin$ kadmin.local -q listprincs
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principal diradmin/admin@SERVER.WDN.COM with password.
kadmin.local: Permission denied while initializing kadmin.local interface
server:~ diradmin$

----

Last login: Wed Aug 24 09:28:41 on ttyp1
Welcome to Darwin!
server:~ wdn_admin$ kadmin.local -q listprincs
Couldn't open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principal wdn_admin/admin@SERVER.WDN.COM with password.
kadmin.local: Permission denied while initializing kadmin.local interface
server:~ wdn_admin$

----

Last login: Wed Aug 24 09:42:32 on console
Welcome to Darwin!
server:~ root# kadmin.local -q listprincs
Authenticating as principal root/admin@SERVER.WDN.COM with password.
K/M@SERVER.WDN.COM
diradmin@SERVER.WDN.COM
kadmin/admin@SERVER.WDN.COM
kadmin/changepw@SERVER.WDN.COM
kadmin/history@SERVER.WDN.COM
kadmin/server.wdn.com@SERVER.WDN.COM
krbtgt/SERVER.WDN.COM@SERVER.WDN.COM
root@SERVER.WDN.COM
vpn_752650f433c3@SERVER.WDN.COM
wdn_1@SERVER.WDN.COM
wdn_2@SERVER.WDN.COM
wdn_3@SERVER.WDN.COM
wdn_4@SERVER.WDN.COM
wdn_pb@SERVER.WDN.COM
server:~ root#

Reply

Answer 6

Aug 24, 2005 5:08 PM in response to Thomas Walser

ok, this looks like the rest of the services did not get set up after kerberos was configured. Possibly some sort of slapconfig error.

You will need to run the following commands as root on server:
sso_util configure -r SERVER.WDN.COM -a diradmin -p diradmin_password -v 1 all
sso_util configure -r SERVER.WDN.COM -a diradmin -p diradmin_password -v 1 ldap

diradmin_password = the password for the diradmin account.

That should populate the kerberos database with the proper principals.
You need to do the ldap one separately because it is not included in the "all" (really means all services normally used on a non-OD server) set.

HTH
- Leland

Reply

Answer 7

Aug 25, 2005 6:49 AM in response to Leland Wallace

yes, this helped! Below the results to verify if they are correct.

Question: What does <WARNING: no policy specified for xgrid/server.wdn.com@SERVER.WDN.COM; defaulting to no policy> mean? How or where can we specify a policy?

Question: What does <kadmin: No entry for principal ldap/server.wdn.com@SERVER.WDN.COM exists in keytab WRFILE:/etc/krb5.keytab> mean? Do we have to take care of that?

thanks, thomas

-

server:~ root# sso_util configure -r SERVER.WDN.COM -a diradmin -p diradmin_password -v 1 all
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for xgrid/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for vpn/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for ipp/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for XMPP/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for host/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for smtp/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for http/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for pop/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for imap/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for ftp/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
WARNING: no policy specified for afpserver/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
Creating the keytab file
Configuring services
WriteSetupFile: setup file path = /temp.e4N2/setup
Unable to configure service http error = 2
Cleaning up
server:~ root# sso_util configure -r SERVER.WDN.COM -a diradmin -p diradmin_password -v 1 ldap
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for ldap/server.wdn.com@SERVER.WDN.COM; defaulting to no policy
Creating the keytab file
kadmin: No entry for principal ldap/server.wdn.com@SERVER.WDN.COM exists in keytab WRFILE:/etc/krb5.keytab
Configuring services
WriteSetupFile: setup file path = /temp.oq0D/setup
Cleaning up
server:~ root#

server:~ root# kadmin.local -q listprincs
Authenticating as principal root/admin@SERVER.WDN.COM with password.
K/M@SERVER.WDN.COM
XMPP/server.wdn.com@SERVER.WDN.COM
afpserver/server.wdn.com@SERVER.WDN.COM
diradmin@SERVER.WDN.COM
ftp/server.wdn.com@SERVER.WDN.COM
host/server.wdn.com@SERVER.WDN.COM
http/server.wdn.com@SERVER.WDN.COM
imap/server.wdn.com@SERVER.WDN.COM
ipp/server.wdn.com@SERVER.WDN.COM
kadmin/admin@SERVER.WDN.COM
kadmin/changepw@SERVER.WDN.COM
kadmin/history@SERVER.WDN.COM
kadmin/server.wdn.com@SERVER.WDN.COM
krbtgt/SERVER.WDN.COM@SERVER.WDN.COM
ldap/server.wdn.com@SERVER.WDN.COM
pop/server.wdn.com@SERVER.WDN.COM
root@SERVER.WDN.COM
smtp/server.wdn.com@SERVER.WDN.COM
vpn/server.wdn.com@SERVER.WDN.COM
vpn_752650f433c3@SERVER.WDN.COM
wdn_1@SERVER.WDN.COM
wdn_2@SERVER.WDN.COM
wdn_3@SERVER.WDN.COM
wdn_4@SERVER.WDN.COM
wdn_pb@SERVER.WDN.COM
xgrid/server.wdn.com@SERVER.WDN.COM
server:~ root#

Reply

Answer 8

Aug 25, 2005 2:00 PM in response to Thomas Walser

Question: What does <WARNING: no policy specified for xgrid/server.wdn.com@SERVER.WDN.COM; defaulting to no policy> mean?

The sso tools do not specify a policy when creating principals. The policy is a Kerberos attribute of the principal, look at the man page for kadmin.

How or where can we specify a policy?

You can edit it using kadmin, but you shouldn't need to, the policies in Mac OS X server are enforced by the Password server instead of the kdc.
more info is available at
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.2/doc/krb5-admin/index.html

Question: What does <kadmin: No entry for principal ldap/server.wdn.com@SERVER.WDN.COM exists in keytab WRFILE:/etc/krb5.keytab> mean?

This one is a bit more interesting, probably an artifact of a race condition in the tools. It looks like the ldap key entry did not make it into the keytab.

Do we have to take care of that?

Yes.

First verify that the entry really is missing:
as root on server: klist -k
you should see three entrys for each service principal, is ldap/server.wdn.com@SERVER.WDN.COM present?

if it is not present then you will need to add it manually.
kadmin.local -q ktadd -k /etc/krb5.keytab ldap/server.wdn.com@SERVER.WDN.COM

then verify that it worked with klist -k again.

HTH
- Leland

Reply

Answer 9

Aug 26, 2005 12:54 AM in response to Leland Wallace

"klist -k" shows all necessary entrys

-

Last login: Fri Aug 26 08:17:45 on console
Welcome to Darwin!
server:~ root# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 xgrid/server.wdn.com@SERVER.WDN.COM
3 xgrid/server.wdn.com@SERVER.WDN.COM
3 xgrid/server.wdn.com@SERVER.WDN.COM
3 vpn/server.wdn.com@SERVER.WDN.COM
3 vpn/server.wdn.com@SERVER.WDN.COM
3 vpn/server.wdn.com@SERVER.WDN.COM
3 ipp/server.wdn.com@SERVER.WDN.COM
3 ipp/server.wdn.com@SERVER.WDN.COM
3 ipp/server.wdn.com@SERVER.WDN.COM
3 XMPP/server.wdn.com@SERVER.WDN.COM
3 XMPP/server.wdn.com@SERVER.WDN.COM
3 XMPP/server.wdn.com@SERVER.WDN.COM
3 host/server.wdn.com@SERVER.WDN.COM
3 host/server.wdn.com@SERVER.WDN.COM
3 host/server.wdn.com@SERVER.WDN.COM
3 smtp/server.wdn.com@SERVER.WDN.COM
3 smtp/server.wdn.com@SERVER.WDN.COM
3 smtp/server.wdn.com@SERVER.WDN.COM
3 http/server.wdn.com@SERVER.WDN.COM
3 http/server.wdn.com@SERVER.WDN.COM
3 http/server.wdn.com@SERVER.WDN.COM
3 pop/server.wdn.com@SERVER.WDN.COM
3 pop/server.wdn.com@SERVER.WDN.COM
3 pop/server.wdn.com@SERVER.WDN.COM
3 imap/server.wdn.com@SERVER.WDN.COM
3 imap/server.wdn.com@SERVER.WDN.COM
3 imap/server.wdn.com@SERVER.WDN.COM
3 ftp/server.wdn.com@SERVER.WDN.COM
3 ftp/server.wdn.com@SERVER.WDN.COM
3 ftp/server.wdn.com@SERVER.WDN.COM
3 afpserver/server.wdn.com@SERVER.WDN.COM
3 afpserver/server.wdn.com@SERVER.WDN.COM
3 afpserver/server.wdn.com@SERVER.WDN.COM
3 ldap/server.wdn.com@SERVER.WDN.COM
3 ldap/server.wdn.com@SERVER.WDN.COM
3 ldap/server.wdn.com@SERVER.WDN.COM
server:~ root#

-

server reboot to verify the error message: everything seems to be o.k. the error message does not appear anymoore.

thank you for your help

thomas

Reply

Answer 10

Aug 26, 2005 7:52 AM in response to Leland Wallace

You will need to run the following commands as root on server:
sso_util configure -r SERVER.WDN.COM -a diradmin -p diradmin_password -v 1 all
sso_util configure -r SERVER.WDN.COM -a diradmin -p diradmin_password -v 1 ldap

I tried this and got the following. any thoughts?

kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
SendInteractiveCommand: failed to get pattern

Reply

Answer 11

Aug 29, 2005 12:57 AM in response to Ed Hammond

looks like the /Library/Preferences/edu.mit.Kerberos file is messed up.
try running kerberosautoconfig

there's lots of good info on afp548.com

HTH
-Leland

Reply

Answer 12

Aug 30, 2005 3:36 PM in response to Ed Hammond

I had a similar problem as the original poster and I tried the two commands:

sso_util configure -r G4SERVER.RFN.DK -a diradmin -p diradmin_password -v 1 all
sso_util configure -r G4SERVER.RFN.DK -a diradmin -p diradmin_password -v 1 ldap

My servers FQDN is g4server.rfn.dk and that's also the name of the Kerberos realm. Unfortunately it seems like something is now messed up.

When trying
# sudo kadmin.local -q listprincs
I get this:
kadmin.local: Unknown credential cache type while opening default credentials cache

If I instead try
# sudo kadmin.local -c
and then listprincs, then I get the same list as "sudo kadmin.local -q listprincs" gave me before I tried the "sso_util" commands:
kadmin.local: listprincs
K/M@G4SERVER.RFN.DK
XMPP/@G4SERVER.RFN.DK
XMPP/g4server.rfn.dk@G4SERVER.RFN.DK
afpserver/@G4SERVER.RFN.DK
afpserver/g4server.rfn.dk@G4SERVER.RFN.DK
christian@G4SERVER.RFN.DK
clm@G4SERVER.RFN.DK
diradmin@G4SERVER.RFN.DK
ftp/@G4SERVER.RFN.DK
ftp/g4server.rfn.dk@G4SERVER.RFN.DK
ftpuser@G4SERVER.RFN.DK
host/@G4SERVER.RFN.DK
host/g4server.rfn.dk@G4SERVER.RFN.DK
http/@G4SERVER.RFN.DK
http/g4server.rfn.dk@G4SERVER.RFN.DK
imap/@G4SERVER.RFN.DK
imap/g4server.rfn.dk@G4SERVER.RFN.DK
ipp/@G4SERVER.RFN.DK
ipp/g4server.rfn.dk@G4SERVER.RFN.DK
jacob@G4SERVER.RFN.DK
jens@G4SERVER.RFN.DK
kadmin/admin@G4SERVER.RFN.DK
kadmin/changepw@G4SERVER.RFN.DK
kadmin/g4server.rfn.dk@G4SERVER.RFN.DK
kadmin/history@G4SERVER.RFN.DK
knud@G4SERVER.RFN.DK
krbtgt/G4SERVER.RFN.DK@G4SERVER.RFN.DK
ldap/@G4SERVER.RFN.DK
ldap/g4server.rfn.dk@G4SERVER.RFN.DK
mn@G4SERVER.RFN.DK
morten@G4SERVER.RFN.DK
ole@G4SERVER.RFN.DK
pia@G4SERVER.RFN.DK
pop/@G4SERVER.RFN.DK
pop/g4server.rfn.dk@G4SERVER.RFN.DK
rfn@G4SERVER.RFN.DK
rikke@G4SERVER.RFN.DK
ruth@G4SERVER.RFN.DK
smtp/@G4SERVER.RFN.DK
smtp/g4server.rfn.dk@G4SERVER.RFN.DK
tove@G4SERVER.RFN.DK
trine@G4SERVER.RFN.DK
vpn/@G4SERVER.RFN.DK
vpn/g4server.rfn.dk@G4SERVER.RFN.DK
vpn_b14fc0c89996@G4SERVER.RFN.DK
xgrid/@G4SERVER.RFN.DK
xgrid/g4server.rfn.dk@G4SERVER.RFN.DK

But something has changed in the list. All the services are now listed twice; one which looks ok (like vpn/g4server.rfn.dk@G4SERVER.RFN.DK) and one which looks odd (like vpn/@G4SERVER.RFN.DK). The latter was added to the list after running the sso_util commands. What are those entries and how do I get rid of them?

I'm a Kerberos newbie and probably shouldn't have messed around with this. I hope that some of you can help me!

Regards,
René Frej Nielsen

Reply

Answer 13

Aug 31, 2005 3:00 PM in response to Thomas Walser

Hi there... I thought I would just add to the confusion in hopes that the kerberos gurus will help me to.

My server is is giving a similar error to the original poster. Here is it:

Aug 23 16:35:23 Server-Name DirectoryService[39]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)

My principals are as follows. This is taken from my ODM. I have an ODR. I am concerned about several principals below, generally the ones listing the realm twice.?!?

K/M@ODM.DOMAIN.COM
XMPP/replica.domain.com@ODM.DOMAIN.COM
XMPP/odm.domain.com@ODM.DOMAIN.COM
afpserver/replica.domain.com@ODM.DOMAIN.COM
afpserver/odm.domain.com@ODM.DOMAIN.COM
diradmin@ODM.DOMAIN.COM
file-server@ODM.DOMAIN.COM
ftp/replica.domain.com@ODM.DOMAIN.COM
ftp/odm.domain.com@ODM.DOMAIN.COM
host/replica.domain.com@ODM.DOMAIN.COM
host/odm.domain.com@ODM.DOMAIN.COM
http/replica.domain.com@ODM.DOMAIN.COM
http/odm.domain.com@ODM.DOMAIN.COM
imap/replica.domain.com@ODM.DOMAIN.COM
imap/odm.domain.com@ODM.DOMAIN.COM
ipp/replica.domain.com@ODM.DOMAIN.COM
ipp/odm.domain.com@ODM.DOMAIN.COM
kadmin/admin@ODM.DOMAIN.COM
kadmin/changepw@ODM.DOMAIN.COM
kadmin/odm.domain.com@ODM.DOMAIN.COM
kadmin/history@ODM.DOMAIN.COM
krbtgt/ODM.DOMAIN.COM@ODM.DOMAIN.COM
kris@ODM.DOMAIN.COM
ldap/replica.domain.com@ODM.DOMAIN.COM
ldap/odm.domain.com@ODM.DOMAIN.COM
pop/replica.domain.com@ODM.DOMAIN.COM
pop/odm.domain.com@ODM.DOMAIN.COM
smtp/replica.domain.com@ODM.DOMAIN.COM
smtp/odm.domain.com@ODM.DOMAIN.COM
vpn/replica.domain.com@ODM.DOMAIN.COM
vpn/odm.domain.com@ODM.DOMAIN.COM
vpn_9bc98095d184@ODM.DOMAIN.COM
vpn_cbd93b69593a@ODM.DOMAIN.COM
vpn_fdc4f6f2b1eb@ODM.DOMAIN.COM
xgrid/replica.domain.com@ODM.DOMAIN.COM
xgrid/odm.domain.com@ODM.DOMAIN.COM

Thanks a million.

Reply

Answer 14

Sep 2, 2005 9:22 PM in response to Subliminal

It looks like you have two servers: one called odm.domain.com and one called replica.domain.com. each service on each server has it's own service principal. This is normal.

as to the "Server not found in Kerberos database" error you need to look at the kdc logfile to see exactly which principal is going missing. if it is the ldap one,(way too common for my tastes) try to figure out why the machine is getting its hostname messed up.

you may try editing /etc/hostconfig, replacing the HOSTNAME=-AUTOMATIC- line with HOSTNAME=fully.qualified.domain.of.the.host
and see if that fixed the "localhost" problem.

HTH
- Leland

Reply

Answer 15

Sep 2, 2005 9:29 PM in response to Rene Frej Nielsen

It looks like you ran into a bug with the sso_util tools where the hostname returned from the OS is blank, and it ignores the error and goes on to make the bad principals such as vpn/@G4SERVER.RFN.DK.

You can remove the bad principals using kadmin.local (see the man page)
kadmin.local -q delete_principal vpn/@G4SERVER.RFN.DK pop/@G4SERVER.RFN.DK ...

you may try editing /etc/hostconfig, replacing the HOSTNAME=-AUTOMATIC- line with HOSTNAME=fully.qualified.domain.of.the.host
and see if that fixes the "localhost" problem.

HTH
- Leland

Reply