Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Tina Siegenthaler
Tina Siegenthaler Author
User level: Level 3
775 points

GSSAPI Error: Server not found in Kerberos database

Hi all

For about 3 days I'm now seeing this error message in system.log every 3 minutes:

DirectoryService: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)

This happens on a fileserver which is connected to an OD server.

I did a search in this forum and found one thread about it. The advice there was to look in kdc.log to see which principal is failing - but I don't have a kdc.log. The other tip was to use kadmin to get a list of the principals by using

kadmin.local -q listprincs

but what I get instead of this list is:

Authenticating as principal xyz/admin@my.od-server.xx with password.
kadmin.local: No such file or directory while initializing kadmin.local interface

It seems that some file is missing, which would explain why DirectoryService can't find the server in the database... I have to confess that I have no idea as to how Kerberos works or how to configure it.

Authentication against the OD server is working fine, it's just that the errors in the log are getting on my nerves, and they make it difficult to find other, more important messages in system.log.


Thankas, Tina

G5 Dual 1.8, 23'' Cinema Display, Mac OS X (10.4.5), iMac G4/800, iBook G3/700, G4/400, iBook G3/366, iMac G3/233, PM 7200, Mac SE

Posted on Mar 21, 2006 12:45 AM

Reply
Question marked as Best reply
User profile for user: Leland Wallace
Leland Wallace
User level: Level 3
639 points

Posted on Mar 21, 2006 12:55 PM

The kdc.log file should be on the OD master in /var/log/krb5kdc/kdc.log.

On your server (the one with the disturbing log entries) check to see if you have an /Library/Preferences/edu.mit.Kerberos file. Also look for an /etc/krb5.keytab file. You can do a klist -k (as root) to see the contents of the keytab file. You should see three entries for each service.

The kadmin.local command needs to be run on the OD Master.

Hope this gets you started
- Leland

DP G4 Mac OS X (10.4.2)
View in context
6 replies
Question marked as Best reply
User profile for user: Leland Wallace
Leland Wallace
User level: Level 3
639 points

Mar 21, 2006 12:55 PM in response to Tina Siegenthaler

The kdc.log file should be on the OD master in /var/log/krb5kdc/kdc.log.

On your server (the one with the disturbing log entries) check to see if you have an /Library/Preferences/edu.mit.Kerberos file. Also look for an /etc/krb5.keytab file. You can do a klist -k (as root) to see the contents of the keytab file. You should see three entries for each service.

The kadmin.local command needs to be run on the OD Master.

Hope this gets you started
- Leland

DP G4 Mac OS X (10.4.2)
Reply
User profile for user: Tina Siegenthaler
Tina Siegenthaler Author
User level: Level 3
775 points

Mar 22, 2006 12:39 AM in response to Leland Wallace

Ah, I see, the kdc.log is on the OD server, not on the file server where I was looking for it.

OK, in the kdc logfile I have a lot of entries like these ones:

Mar 22 09:18:35 zool09.abc.xy krb5kdc[218](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.23: UNKNOWN_SERVER: authtime 1143003387, zds02@ZOOL09.ABC.XY for krbtgt/ABC.XY@ZOOL09.ABC.XY, Server not found in Kerberos database

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11: NEEDED_PREAUTH: zds01@ZOOL09.ABC.XY for krbtgt/ZOOL09.ABC.XY@ZOOL09.ABC.XY, Additional pre-authentication required

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11: ISSUE: authtime 1143015560, etypes {rep=16 tkt=16 ses=16}, zds01@ZOOL09.ABC.XY for krbtgt/ZOOL09.ABC.XY@ZOOL09.ABC.XY

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11: UNKNOWN_SERVER: authtime 1143001370, zds01@ZOOL09.ABC.XY for krbtgt/ZOOL09.ABC.XYusers@ZOOL09.ABC.XY, Server not found in Kerberos database

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11: UNKNOWN_SERVER: authtime 1143001370, zds01@ZOOL09.ABC.XY for krbtgt/ABC.XYusers@ZOOL09.ABC.XY, Server not found in Kerberos database

What do they mean? I didn't set up Kerberos authentication, I think I don't need it, is there any way to disable it? Or am I using it without knowing it??

- see if you have an /Library/Preferences/edu.mit.Kerberos file
- Also look for an /etc/krb5.keytab file

Yes, I have both of them.

kadmin.local -q listprincs on the OD server gives me a long list of computers, users and services like this:

computer_name@ZOOL09.ABC.XY
user_name@ZOOL09.ABC.XY
afpserver/zool09.abc.xy@ZOOL09.ABC.XY

I don't know what these all mean... could you give me a brief explanation?

Thanks, Tina
Reply
User profile for user: Leland Wallace
Leland Wallace
User level: Level 3
639 points

Mar 22, 2006 1:48 PM in response to Tina Siegenthaler

Ah, I see, the kdc.log is on the OD server, not on
the file server where I was looking for it.

OK, in the kdc logfile I have a lot of entries like
these ones:


Kerberos is an auth system where the user authenticates to the kdc and is issued a TGT (Ticket Granting Ticket). The user then presents their TGT and a service principal (Kerberos name of a server) to the kdc to get a service ticket. The user then sends the service ticket to the server who lets the user in.

Some interpretation:
Mar 22 09:18:35 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.23:
UNKNOWN_SERVER: authtime 1143003387,
zds02@ZOOL09.ABC.XY for krbtgt/ABC.XY@ZOOL09.ABC.XY ,
Server not found in Kerberos database


This (TGS_REQ) is request for a service ticket from 130.60.23.23 using the
TGT owned by zds02@ZOOL09.ABC.XY, to get a service ticket for
krbtgt/ABC.XY@ZOOL09.ABC.XY. It looks like krbtgt/ABC.XY@ZOOL09.ABC.XY is not in your kdc's database. This looks like a cross realm request.
If you are also connected to an active directory system you might see something like this.

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
NEEDED_PREAUTH: zds01@ZOOL09.ABC.XY for
krbtgt/ZOOL09.ABC.XY@ZOOL09.ABC.XY , Additional
pre-authentication required

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
ISSUE: authtime 1143015560, etypes {rep=16 tkt=16
ses=16}, zds01@ZOOL09.ABC.XY for
krbtgt/ZOOL09.ABC.XY@ZOOL09.ABC.XY


The AS_REQ's above are the two step authentication process for user zds01@ZOOL09.ABC.XY from 130.60.23.11.

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
UNKNOWN_SERVER: authtime 1143001370,
zds01@ZOOL09.ABC.XY for
krbtgt/ZOOL09.ABC.XYusers@ZOOL09.ABC.XY , Server not
found in Kerberos database


This is another service ticket request. Though the requested service principal looks malformed, I would look for something misconfigured on 130.60.23.11.
Possibly watch what user zds01 is doing during login to get some idea of what's going on.

Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
UNKNOWN_SERVER: authtime 1143001370,
zds01@ZOOL09.ABC.XY for
krbtgt/ABC.XYusers@ZOOL09.ABC.XY , Server not found
in Kerberos database


Same as above.

What do they mean? I didn't set up Kerberos
authentication, I think I don't need it, is there any
way to disable it? Or am I using it without knowing
it??


When you set up the OD Master, a kdc & the needed files were set up to allow single sign on to all the kerberized services in the system.

- see if you have an
/Library/Preferences/edu.mit.Kerberos file
- Also look for an /etc/krb5.keytab file

Yes, I have both of them.

kadmin.local -q listprincs on the OD server gives me
a long list of computers, users and services like
this:


I don't know what these all mean... could you give me
a brief explanation?


computer_name@ZOOL09.ABC.XY

When you create a computer record in Workgroup Manager a generic principal name is added to the kdc for that computer. It is related to the host/computer_name@REALM service principal for servers.

user_name@ZOOL09.ABC.XY

This is a user principal (this is the account name for the user in the Kerberos system) Sometimes you will see user/admin@REALM.

afpserver/zool09.abc.xy@ZOOL09.ABC.XY

This is a service principal. They usually are in the form service type/server_dnsname@REALM

One of the things that Kerberos is very sensitive to is correct DNS configuration. You need to have both forward (name -> IP) and reverse (IP -> name) DNS set up for all the servers in your realm.

Hope this helps
- Leland



DP G4 Mac OS X (10.4.5)
Reply
User profile for user: Tina Siegenthaler
Tina Siegenthaler Author
User level: Level 3
775 points

Mar 23, 2006 3:36 AM in response to Leland Wallace

Hi Leland

Thansk very much for this detailed explanation! Now I know at least what Kerberos is good for and how it works.

The problem of the error messages has solved itself... I noticed that I had these also on the second fileserver, until I had to do a restart for some other reason. After that, the messages were gone. So I restarted the first fileserver, too, and indeed, I got rid of the errors.

The question remains, though, as to what caused the errors, and whether they're really gone or if they will reappear at some time in the future.

Thanks again for your help,

Tina
Reply

GSSAPI Error: Server not found in Kerberos database

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up