Server not found in Kerberos database while getting a service url ticket - Kerberos

This is a discussion on Server not found in Kerberos database while getting a service url ticket - Kerberos ; hello, I have added to my kerberos database the following principal: "http://localhost:8080/axis/services/test" . (It' s in a url format instead of being in the format: service/host@REALM.) So, the thing is that I would like to acquire a service ticket for ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Server not found in Kerberos database while getting a service url ticket

  1. Server not found in Kerberos database while getting a service url ticket

    hello,
    I have added to my kerberos database the following principal:
    "http://localhost:8080/axis/services/test" .
    (It' s in a url format instead of being in the format:
    service/host@REALM.)
    So, the thing is that I would like to acquire a service ticket for that
    principal.
    To request a service ticket I am using gss api and follow the next
    steps:

    class KrbClient{
    main(){
    .....
    //I have acquired the credentials from the ticket cache
    ....
    PrincipalName serviceName = new
    PrincipalName("http://localhost:8080/axis/services/test");

    // create the tgs_req to ask for service tickets
    sun.security.krb5.KrbTgsReq tgs_req = new
    sun.security.krb5.KrbTgsReq(credentials, serviceName);

    tgs_req.send();

    // get tgs_rep
    KrbTgsRep tgs_rep = tgs_req.getReply();
    }
    }

    and it gets the folllowing error:

    KrbException: Server not found in Kerberos database (7)
    at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:67)
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.jav a:235)
    at KrbClient.requestServiceTicket(KrbClient.java:142)
    at KrbClient.main(KrbClient.java:39)
    Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java :134)
    at sun.security.krb5.internal.TGSRep.init(TGSRep.java :59)
    at sun.security.krb5.internal.TGSRep.(TGSRep.java:54)
    at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:50)
    ... 3 more

    >From the debugging of gss api:
    >>>KRBError:

    sTime is Mon May 22 19:07:26 EEST 2006 1148314046000
    suSec is 722233
    error code is 7
    error Message is Server not found in Kerberos database
    crealm is GRID.ORG
    cname is vpouli
    realm is GRID.ORG
    sname is http://localhost:8080/axis/services/test

    >From the kdc log file:

    2006-05-22T19:40:59 TGS-REQ vpouli@GRID.ORG from IPv4:147.102.183.137
    for http:/\/localhost:8080/axis/services/test@GRID.ORG
    2006-05-22T19:40:59 Server not found in database:
    http:/\/localhost:8080/axis/services/test@GRID.ORG: No such entry in
    the database
    2006-05-22T19:40:59 sending 155 bytes to IPv4:147.102.183.137

    What I see, is that when I request a ticket for a service principal
    which contains "//" (like in http://localhost....) it puts an escape
    character '\' between '//' and tries to find "http:/\/localhost..."
    instead of "http://localhost....".

    Is there something I can do about it?


  2. Re: Server not found in Kerberos database while getting a service url ticket

    >>>>> "vpouli" == vpouli writes:

    vpouli> hello, I have added to my kerberos database the following
    vpouli> principal: "http://localhost:8080/axis/services/test" . (It'
    vpouli> s in a url format instead of being in the format:
    vpouli> service/host@REALM.)

    That is not a principal name -- at least, not one you can use; it has 6
    instances, one of which is null.

    The usual service principal for an HTTP server is HTTP/fqdn@REALM.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: Server not found in Kerberos database while getting a serviceurl ticket



    vpouli wrote:

    > hello,
    > I have added to my kerberos database the following principal:
    > "http://localhost:8080/axis/services/test" .
    > (It' s in a url format instead of being in the format:
    > service/host@REALM.)


    Even if you could add this, the use of localhost is relative to the
    local host and is not unique. Principals normally have service/FQDN@realm.

    What you should be using isw HTTP/your.full.host.name

    > So, the thing is that I would like to acquire a service ticket for that
    > principal.
    > To request a service ticket I am using gss api and follow the next
    > steps:
    >
    > class KrbClient{
    > main(){
    > ....
    > //I have acquired the credentials from the ticket cache
    > ...
    > PrincipalName serviceName = new
    > PrincipalName("http://localhost:8080/axis/services/test");
    >
    > // create the tgs_req to ask for service tickets
    > sun.security.krb5.KrbTgsReq tgs_req = new
    > sun.security.krb5.KrbTgsReq(credentials, serviceName);
    >
    > tgs_req.send();
    >
    > // get tgs_rep
    > KrbTgsRep tgs_rep = tgs_req.getReply();
    > }
    > }
    >
    > and it gets the folllowing error:
    >
    > KrbException: Server not found in Kerberos database (7)
    > at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:67)
    > at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.jav a:235)
    > at KrbClient.requestServiceTicket(KrbClient.java:142)
    > at KrbClient.main(KrbClient.java:39)
    > Caused by: KrbException: Identifier doesn't match expected value (906)
    > at sun.security.krb5.internal.KDCRep.init(KDCRep.java :134)
    > at sun.security.krb5.internal.TGSRep.init(TGSRep.java :59)
    > at sun.security.krb5.internal.TGSRep.(TGSRep.java:54)
    > at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:50)
    > ... 3 more
    >
    >>From the debugging of gss api:

    >
    >>>>KRBError:

    >
    > sTime is Mon May 22 19:07:26 EEST 2006 1148314046000
    > suSec is 722233
    > error code is 7
    > error Message is Server not found in Kerberos database
    > crealm is GRID.ORG
    > cname is vpouli
    > realm is GRID.ORG
    > sname is http://localhost:8080/axis/services/test
    >
    >>From the kdc log file:

    > 2006-05-22T19:40:59 TGS-REQ vpouli@GRID.ORG from IPv4:147.102.183.137
    > for http:/\/localhost:8080/axis/services/test@GRID.ORG
    > 2006-05-22T19:40:59 Server not found in database:
    > http:/\/localhost:8080/axis/services/test@GRID.ORG: No such entry in
    > the database
    > 2006-05-22T19:40:59 sending 155 bytes to IPv4:147.102.183.137
    >
    > What I see, is that when I request a ticket for a service principal
    > which contains "//" (like in http://localhost....) it puts an escape
    > character '\' between '//' and tries to find "http:/\/localhost..."
    > instead of "http://localhost....".
    >
    > Is there something I can do about it?
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Server not found in Kerberos database while getting a service url ticket

    I didn't put "localhost", I put my.full.host.name. I just put
    'localhost' here for showing an example. I didn't want to stand on
    that, I just wanted to ask if there is a way to ask for a service
    ticket when the service contains '//' like in http://fqdn/service.


  5. Re: Server not found in Kerberos database while getting a service url ticket

    >>>>> "vpouli" == vpouli writes:

    vpouli> I didn't put "localhost", I put my.full.host.name. I just put
    vpouli> 'localhost' here for showing an example. I didn't want to
    vpouli> stand on that, I just wanted to ask if there is a way to ask
    vpouli> for a service ticket when the service contains '//' like in
    vpouli> http://fqdn/service.

    You completely misunderstand how this all works. That is a URL. From the
    URL, the Kerberos client constructs a principal name for the HTTP service
    on the named host (which cannot be "localhost"). That principal is of the
    form: HTTP/@

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread