[cifs-discuss] krb5 ssh not working! (krb5_verify_init_credsfailed: Server not found in Kerberos database)
Nicolas Williams
Nicolas.Williams at sun.com
Mon Jul 28 12:29:17 PDT 2008
On Mon, Jul 28, 2008 at 02:48:49PM -0400, HUGE | Rob Terhaar wrote:
> I'm having a tough time pinpointing where the interesting error is in the
> entire process :) There was some additional KRB chatter between the
> opensolaris machine and the DC. I'll send a snoop dump off-list.
:(
> > E.g.,
> >
> > # kinit Administrator
> > # ldapsearch -R -h <DC> -o mech=gssapi -o authzid= -s sub -b \
> > 'DC=ad,DC=hugeinc,DC=com' cn=`uname -n`
> > # kdestroy
> > # kinit -k host/`uname -n`....
> >
> > where '...' is the domain of the client.
>
> ServicePrincipalName is correctly stored in the AD object, as confirmed by
> your ldapsearch command: http://www.pastebucket.net/1mhoc6
Look carefully. I only see
userPrincipalName: host/nybackup1.ad.hugeinc.com at AD.HUGEINC.COM
That's *not* what you want.
You want:
servicePrincipalName: host/nybackup1.ad.hugeinc.com
(Note: no '@AD.HUGEINC.COM'.)
Try this:
# kinit Administrator
# ldapmodify -h $DS -o mech=gssapi -o authzid= <<EOF
dn: CN=nybackup1,CN=Computers,DC=ad,DC=hugeinc,DC=com
changetype: modify
replace: servicePrincipalName
servicePrincipalName: host/nybackup1.ad.hugeinc.com
EOF
#
(Also, the values of userPrincipalName are not expected to be _Kerberos_
principal names but simply <username>@<domain> -- "UPNs" are there for
helping users keep their orginal usernames when their user objects are
moved from one domain to another, as well as to allow for usernames
longer than 20 characters. But UPNs aren't quite usernames either.
This is... a long story.)
Nico
--
More information about the cifs-discuss
mailing list