Re: gss-server error - Kerberos

This is a discussion on Re: gss-server error - Kerberos ; A Kerberos realm is always in uppercase [1]. If you did *everything* with a lowercase realm name I suspect things might work but perhaps not. Or, based on the second error, perhaps there is a DNS issue? Mike [1] The ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: gss-server error

  1. Re: gss-server error

    A Kerberos realm is always in uppercase [1]. If you did *everything*
    with a lowercase realm name I suspect things might work but perhaps not.

    Or, based on the second error, perhaps there is a DNS issue?

    Mike

    [1] The realm is effectively the DNS domain in uppercase and therefore
    it is not uncommon to see lowercase names (e.g. DNS oriented software).

    On Mon, 21 Aug 2006 17:00:03 +0800
    "lizhong" wrote:

    > I'm trying to test with gss-client and gss-server but am unsuccessful in
    > getting it to work.
    >
    > I have setup a MIT Realm called test.com and added a client named test/admin@test.com.
    > I am able to kinit and get a ticket from the KDC.
    >
    > [root@gcnode029 gss-sample]# kinit
    > Password for test/admin@test.com:
    > kinit(v5): Password incorrect while getting initial credentials
    > [root@gcnode029 gss-sample]# klist
    > Ticket cache: FILE:/tmp/krb5cc_0
    > Default principal: test/admin@test.com
    >
    > Valid starting Expires Service principal
    > 08/21/06 15:45:15 08/22/06 15:45:15 krbtgt/test.com@test.com
    >
    >
    > Kerberos 4 ticket cache: /tmp/tkt0
    > klist: You have no tickets cached
    > [root@gcnode029 gss-sample]#
    >
    > But if I run "gss-server -port 8888 -verbose -once test/admin@test.com", I met the following error:
    >
    > [root@gcnode029 gss-sample]# ./gss-server -port 8888 -verbose -once test/admin@test.com
    > GSS-API error acquiring credentials: An invalid name was supplied
    > GSS-API error acquiring credentials: Hostname cannot be canonicalized
    >
    > I guess I used the service name in an improper way. So what service name should I use? Thank you for any help!
    >
    >
    >


    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  2. Re: gss-server error

    Michael B Allen writes:

    > A Kerberos realm is always in uppercase [1]. If you did *everything*
    > with a lowercase realm name I suspect things might work but perhaps not.

    Lowercase Kerberos realms do work. However, when setting up a new
    Kerberos realm, you should use uppercase, since it makes automatic
    discovery easier.

    > [1] The realm is effectively the DNS domain in uppercase and therefore
    > it is not uncommon to see lowercase names (e.g. DNS oriented software).

    Kerberos realm names are case-sensitive, and software should not be
    changing the case of the provided realm name. Also, while making your
    Kerberos realm match your DNS domain is a useful convention for automatic
    discovery, it isn't a requirement, and there are significant realms where
    this is not the case (ATHENA.MIT.EDU comes to mind).

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: gss-server error

    In the manual by Jim Rome, "How to Kerberize your site "(http://www.ornl.gov/~jar/HowToKerb.html#Configure), all examples are in lowercare.
    So I think there might be a DNS issue, or I used the parameters of the gss-server improperly.

    The server's command line usage is

    gss-server [-port port] [-verbose] [-once] [-inetd] [-export]
    [-logfile file] service_name

    where service_name is a GSS-API service name of the form"service@host" (or just "service", in which case the local host name is used).

    Now I have 2 machines, the KDC server is called A, and the application server is called B. The gss-server in on the machine B.The keytab file has been generated on the machine B:
    [root@gcnode029 gss-sample]# klist -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    6 test/admin@test.com

    When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin@test.com", output:
    [root@gcnode029 gss-sample]# ./gss-server -port 8888 -once test/admin@test.com
    GSS-API error acquiring credentials: An invalid name was supplied
    GSS-API error acquiring credentials: Hostname cannot be canonicalized

    When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin", output:
    [root@gcnode029 gss-sample]# ./gss-server -port 8888 -once test/admin
    GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information
    GSS-API error acquiring credentials: No principal in keytab matches desired name

    When I try to run gss-server using the command:"./gss-server -port 8888 -once test", output:
    [root@gcnode029 gss-sample]# ./gss-server -port 8888 -once test
    GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information
    GSS-API error acquiring credentials: No principal in keytab matches desired name

    In fact I don't know exactly what the service-name should be like. Is the errors above coursed by DNS problem?or by keytab file?


    ----- Original Message -----
    From: "Michael B Allen"
    To: "lizhong"
    Cc:
    Sent: Monday, August 21, 2006 10:29 PM
    Subject: Re: gss-server error


    >A Kerberos realm is always in uppercase [1]. If you did *everything*
    > with a lowercase realm name I suspect things might work but perhaps not.
    >
    > Or, based on the second error, perhaps there is a DNS issue?
    >
    > Mike
    >
    > [1] The realm is effectively the DNS domain in uppercase and therefore
    > it is not uncommon to see lowercase names (e.g. DNS oriented software).
    >
    > On Mon, 21 Aug 2006 17:00:03 +0800
    > "lizhong" wrote:
    >
    >> I'm trying to test with gss-client and gss-server but am unsuccessful in
    >> getting it to work.
    >>
    >> I have setup a MIT Realm called test.com and added a client named test/admin@test.com.
    >> I am able to kinit and get a ticket from the KDC.
    >>
    >> [root@gcnode029 gss-sample]# kinit
    >> Password for test/admin@test.com:
    >> kinit(v5): Password incorrect while getting initial credentials
    >> [root@gcnode029 gss-sample]# klist
    >> Ticket cache: FILE:/tmp/krb5cc_0
    >> Default principal: test/admin@test.com
    >>
    >> Valid starting Expires Service principal
    >> 08/21/06 15:45:15 08/22/06 15:45:15 krbtgt/test.com@test.com
    >>
    >>
    >> Kerberos 4 ticket cache: /tmp/tkt0
    >> klist: You have no tickets cached
    >> [root@gcnode029 gss-sample]#
    >>
    >> But if I run "gss-server -port 8888 -verbose -once test/admin@test.com", I met the following error:
    >>
    >> [root@gcnode029 gss-sample]# ./gss-server -port 8888 -verbose -once test/admin@test.com
    >> GSS-API error acquiring credentials: An invalid name was supplied
    >> GSS-API error acquiring credentials: Hostname cannot be canonicalized
    >>
    >> I guess I used the service name in an improper way. So what service name should I use? Thank you for any help!
    >>
    >>
    >>
    >
    >
    > --
    > Michael B Allen
    > PHP Active Directory SSO
    > http://www.ioplex.com/
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  4. Re: gss-server error

    Now I have found the reason.
    The /etc/hosts file somehow messed up gssapi.
    The DNS name of the machine which gss-server is running on is "gcnode029.ca", and the same time, this machine is also called "gcnode029" in the /etc/hosts file.
    So when I tried to create a client in kdc called test/gcnode029.ca@test.com, surely I should run the gss-server using cmd:
    [root@gcnode029 gss-sample]# ./gss-server -port 8888 test/gcnode029.ca
    But the host name gcnode029.ca somehow caused a error:
    GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information
    GSS-API error acquiring credentials: No principal in keytab matches desired name

    But if I create a test/gcnode029@test.com, and run gss-server using cmd:
    [root@gcnode029 gss-sample]# ./gss-server -port 8888 test/gcnode029
    Now everything runs perfectly.
    I don't know the exactly reason for those above. Maybe the name defined in /etc/host and the DNS name are mixed together somehow.
    I searched a lot using google, and found that many people met the same problem as mine. Hope the method above would help.


    ----- Original Message -----
    From: "lizhong"
    To: "Michael B Allen"
    Cc:
    Sent: Tuesday, August 22, 2006 10:27 AM
    Subject: Re: gss-server error


    > In the manual by Jim Rome, "How to Kerberize your site "(http://www.ornl.gov/~jar/HowToKerb.html#Configure), all examples are in lowercare.
    > So I think there might be a DNS issue, or I used the parameters of the gss-server improperly.
    >
    > The server's command line usage is
    >
    > gss-server [-port port] [-verbose] [-once] [-inetd] [-export]
    > [-logfile file] service_name
    >
    > where service_name is a GSS-API service name of the form"service@host" (or just "service", in which case the local host name is used).
    >
    > Now I have 2 machines, the KDC server is called A, and the application server is called B. The gss-server in on the machine B.The keytab file has been generated on the machine B:
    > [root@gcnode029 gss-sample]# klist -k
    > Keytab name: FILE:/etc/krb5.keytab
    > KVNO Principal
    > ---- --------------------------------------------------------------------------
    > 6 test/admin@test.com
    >
    > When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin@test.com", output:
    > [root@gcnode029 gss-sample]# ./gss-server -port 8888 -once test/admin@test.com
    > GSS-API error acquiring credentials: An invalid name was supplied
    > GSS-API error acquiring credentials: Hostname cannot be canonicalized
    >
    > When I try to run gss-server using the command:"./gss-server -port 8888 -once test/admin", output:
    > [root@gcnode029 gss-sample]# ./gss-server -port 8888 -once test/admin
    > GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information
    > GSS-API error acquiring credentials: No principal in keytab matches desired name
    >
    > When I try to run gss-server using the command:"./gss-server -port 8888 -once test", output:
    > [root@gcnode029 gss-sample]# ./gss-server -port 8888 -once test
    > GSS-API error acquiring credentials: Unspecified GSS failure. Minor code may provide more information
    > GSS-API error acquiring credentials: No principal in keytab matches desired name
    >
    > In fact I don't know exactly what the service-name should be like. Is the errors above coursed by DNS problem?or by keytab file?
    >
    >
    > ----- Original Message -----
    > From: "Michael B Allen"
    > To: "lizhong"
    > Cc:
    > Sent: Monday, August 21, 2006 10:29 PM
    > Subject: Re: gss-server error
    >
    >
    >>A Kerberos realm is always in uppercase [1]. If you did *everything*
    >> with a lowercase realm name I suspect things might work but perhaps not.
    >>
    >> Or, based on the second error, perhaps there is a DNS issue?
    >>
    >> Mike
    >>
    >> [1] The realm is effectively the DNS domain in uppercase and therefore
    >> it is not uncommon to see lowercase names (e.g. DNS oriented software).
    >>
    >> On Mon, 21 Aug 2006 17:00:03 +0800
    >> "lizhong" wrote:
    >>
    >>> I'm trying to test with gss-client and gss-server but am unsuccessful in
    >>> getting it to work.
    >>>
    >>> I have setup a MIT Realm called test.com and added a client named test/admin@test.com.
    >>> I am able to kinit and get a ticket from the KDC.
    >>>
    >>> [root@gcnode029 gss-sample]# kinit
    >>> Password for test/admin@test.com:
    >>> kinit(v5): Password incorrect while getting initial credentials
    >>> [root@gcnode029 gss-sample]# klist
    >>> Ticket cache: FILE:/tmp/krb5cc_0
    >>> Default principal: test/admin@test.com
    >>>
    >>> Valid starting Expires Service principal
    >>> 08/21/06 15:45:15 08/22/06 15:45:15 krbtgt/test.com@test.com
    >>>
    >>>
    >>> Kerberos 4 ticket cache: /tmp/tkt0
    >>> klist: You have no tickets cached
    >>> [root@gcnode029 gss-sample]#
    >>>
    >>> But if I run "gss-server -port 8888 -verbose -once test/admin@test.com", I met the following error:
    >>>
    >>> [root@gcnode029 gss-sample]# ./gss-server -port 8888 -verbose -once test/admin@test.com
    >>> GSS-API error acquiring credentials: An invalid name was supplied
    >>> GSS-API error acquiring credentials: Hostname cannot be canonicalized
    >>>
    >>> I guess I used the service name in an improper way. So what service name should I use? Thank you for any help!
    >>>
    >>>
    >>>
    >>
    >>
    >> --
    >> Michael B Allen
    >> PHP Active Directory SSO
    >> http://www.ioplex.com/
    >>
    >>
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

+ Reply to Thread
« FW: KERBEROS product | MS cache format »