Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
kprop and "Client not found in Kerberos database"
734 views
Skip to first unread message
fafaforza
Oct 26, 2011, 1:08:02 PM10/26/11
to kerb...@mit.edu
Hi there,
I have 2 realms, the second for Jabber users. I can kprop the default
realm fine, but get
# kdb5_util -r JABBER.DOMAIN.NET -d /usr/local/var/krb5kdc/jabber
-sf /usr/local/var/krb5kdc/.k5.JABBER.DOMAIN.NET dump DUMP.FILE
# kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab
-d kerberos-ha.domain.net
kprop: Client not found in Kerberos database while getting initial
ticket
when trying to kprop the jabber realm. A tcpdump shows no traffic to
the secondary, so this looks like a local issue on the primary. In the
Jabber realm, I have these host principals (in addition to others):
host/kerberos-ha...@JABBER.DOMAIN.NET
host/kerberos....@JABBER.DOMAIN.NET
I used ``ktadd'' to extract
``host/kerberos....@JABBER.DOMAIN.NET'' to
/etc/krb5.jabber.keytab, and I get the same error with and without the
-s flag.
Can anyone shed some light? Using the same steps for the default realm
works fine. Below is my /etc/krb5.conf
--
Thanks
Darek
[libdefaults]
default_realm = DOMAIN.NET
[realms]
DOMAIN.NET = {
kdc = kerberos.domain.net
kdc = kerberos-ha.domain.net
}
JABBER.DOMAIN.NET = {
kdc = kerberos.domain.net
kdc = kerberos-ha.domain.net
}
[domain_realm]
.domain.net = DOMAIN.NET
jabber.domain.net = JABBER.DOMAIN.NET
[password_quality]
min_length = 8
#
# requires the pass to have chars from at least that many
character classes.
# ( uppercase, lowercase, number, special characters )
#
min_classes = 3
[logging]
#kdc = CONSOLE
#kdc = SYSLOG:INFO:DAEMON
kdc = FILE:/var/log/krb5.log
admin_server = FILE:/var/log/kadmin.log
[kdc]
addresses = em0
I have 2 realms, the second for Jabber users. I can kprop the default
realm fine, but get
# kdb5_util -r JABBER.DOMAIN.NET -d /usr/local/var/krb5kdc/jabber
-sf /usr/local/var/krb5kdc/.k5.JABBER.DOMAIN.NET dump DUMP.FILE
# kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab
-d kerberos-ha.domain.net
kprop: Client not found in Kerberos database while getting initial
ticket
when trying to kprop the jabber realm. A tcpdump shows no traffic to
the secondary, so this looks like a local issue on the primary. In the
Jabber realm, I have these host principals (in addition to others):
host/kerberos-ha...@JABBER.DOMAIN.NET
host/kerberos....@JABBER.DOMAIN.NET
I used ``ktadd'' to extract
``host/kerberos....@JABBER.DOMAIN.NET'' to
/etc/krb5.jabber.keytab, and I get the same error with and without the
-s flag.
Can anyone shed some light? Using the same steps for the default realm
works fine. Below is my /etc/krb5.conf
--
Thanks
Darek
[libdefaults]
default_realm = DOMAIN.NET
[realms]
DOMAIN.NET = {
kdc = kerberos.domain.net
kdc = kerberos-ha.domain.net
}
JABBER.DOMAIN.NET = {
kdc = kerberos.domain.net
kdc = kerberos-ha.domain.net
}
[domain_realm]
.domain.net = DOMAIN.NET
jabber.domain.net = JABBER.DOMAIN.NET
[password_quality]
min_length = 8
#
# requires the pass to have chars from at least that many
character classes.
# ( uppercase, lowercase, number, special characters )
#
min_classes = 3
[logging]
#kdc = CONSOLE
#kdc = SYSLOG:INFO:DAEMON
kdc = FILE:/var/log/krb5.log
admin_server = FILE:/var/log/kadmin.log
[kdc]
addresses = em0
Greg Hudson
Oct 26, 2011, 1:51:01 PM10/26/11
to fafaforza, kerb...@mit.edu
On 10/26/2011 01:08 PM, fafaforza wrote:
> # kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab
> -d kerberos-ha.domain.net
> kprop: Client not found in Kerberos database while getting initial
> ticket
You didn't mention what version of Kerberos you're using. If it's MIT
> # kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab
> -d kerberos-ha.domain.net
> kprop: Client not found in Kerberos database while getting initial
> ticket
krb5 1.9.x, you can set KRB5_TRACE to a filename and get more
information about what kprop is trying to do.
I would expect the client principal to be
host/kerberos....@JABBER.DOMAIN.NET, which you say exists, so I'm
not sure what the issue is. DNS configuration issues could cause the
second component of that principal to be different, but I'd expect that
to affect kprop attempts for the first realm as well.
fafaforza
Oct 26, 2011, 2:49:06 PM10/26/11
to kerb...@mit.edu
On 10/26/2011 1:51 PM, Greg Hudson wrote:
> On 10/26/2011 01:08 PM, fafaforza wrote:
>> # kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab
>> -d kerberos-ha.domain.net
>> kprop: Client not found in Kerberos database while getting initial
>> ticket
> You didn't mention what version of Kerberos you're using. If it's MIT
> krb5 1.9.x, you can set KRB5_TRACE to a filename and get more
> information about what kprop is trying to do.
Using 1.6.3, and doesn't look like KRB6_TRACE was an option in that
> On 10/26/2011 01:08 PM, fafaforza wrote:
>> # kprop -r JABBER.DOMAIN.NET -f DUMP.FILE -s /etc/krb5.jabber.keytab
>> -d kerberos-ha.domain.net
>> kprop: Client not found in Kerberos database while getting initial
>> ticket
> You didn't mention what version of Kerberos you're using. If it's MIT
> krb5 1.9.x, you can set KRB5_TRACE to a filename and get more
> information about what kprop is trying to do.
release. But I'm too chicken to try an upgrade at this point :)
To add a bit of info, this is what I see in /var/log/krb5.log:
CLIENT_NOT_FOUND: host/kerberos....@JABBER.DOMAIN.NET for
host/kerberos-ha...@JABBER.DOMAIN.NET, Client not found in
Kerberos database
Trying to figure out the causality in the "host for host" part, but am
not sure.
--
Darek
0 new messages