Zharovsky Evgeniy wrote:
>> You should not need these.

>
> Ok.
>
>
>> Some things to try:
>>
>> Wireshare or other trace program to see DNS and Kerberos requests.
>> This should show name of the "Server not found in Kerberos database"

>
> I captured the request dialog with wireshark and got this (the things I think
> are important):
>
> MSG Type: KRB-ERROR
> Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Realm: EXAMPLE.COM
> Server Name (Unknown): krbtgt/COM
> Name-type: Unknown (0)
> Name: krbtgt
> Name: COM


This looks like cross realm, where the client is working its way up the realm
tree to get the the realm of the server, say AD.DOMAIN.COM. Client is using TGT
from EXAMPLE.COM to get TGT for realm COM (which does not exist) If it did, it
would then try and get a TGT from COM for DOMAIN.COM, then get one from
AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM.

I thought you where trying to use Active Directory, and the domain name
was something like ad.domain.com. So why does you unix system have
a realm named EXAMPLE.COM? Have you setup cross realm trust between them?

If you are not using cross-real, then you should be using the AD domain name as
the realm name. It should have a realm named AD.DOMAIN.COM.

Either the user and server must be in the same realm, or you need cross realm
trust.

I am assuming that you do not wish to reveal the actual names of the host,
realms and AD domain you are using. This makes it very difficult to see what
the real problem is.

> I guess that indicates an error in my krbtgt setup. But where should I search
> for it and what does the right setup look like?
>
>> On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf?
>> Is the default realm (in uppercase) the same as the AD domain name?
>> if not, you may need a krb5.conf, or the -R option on ldapsearch.

>
> Yes, I do have a krb5.conf on the unix side. Here it is:
>
> [libdefaults]
> default_realm=EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> # default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> # default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> # v4_instance_resolve = false
> # v4_name_convert = {
> [realms]
> EXAMPLE.COM = {
> kdc = 192.168.10.4:88
> admin_server = 192.168.10.4:749
> }
> [domain_realm]
> .example.com = EXAMPLE.COM


By default Kerberos will take a host name, and strip off the
short name, and use the domain name as a realm name for the host.
So add the other domains and or hosts here too.

>
> As you can see, it is a setup for some tests...
> -----------------
>
> Evgeniy Zharovsky
>
> Ludwig-Maximilians-Universitaet
> Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
> Martiusstr. 4 / 207
> 80539 Muenchen
>
> email mailto:evgeniy.zharovsky@verwaltung.uni-muenchen.de
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444