Discussion:
Server not found in Kerberos database error on ldapsearch
jeck
2007-11-09 15:33:15 UTC
Permalink
Good afternoon!
I have the following problem: I need to connect securely to a AD and search
it via ldapsearch. When I try to do so the "Server not found in Kerberos
database" error appears. I'm not quite sure, why. I have extracted a keytab
of the AD and kinit seems to work fine for the same user as I want to use
with ldapsearch. The hosts-files are set up correctly (a ping on DNS-names
looks fine). There is nothing that indicates an error in the AD-logs (only
successful logons). Could anyone give me a hint, why I get this reaction?
--
View this message in context: http://www.nabble.com/Server-not-found-in-Kerberos-database-error-on-ldapsearch-tf4777894.html#a13667697
Sent from the Kerberos - General mailing list archive at Nabble.com.
Douglas E. Engert
2007-11-09 20:43:44 UTC
Permalink
Post by jeck
Good afternoon!
I have the following problem: I need to connect securely to a AD and search
it via ldapsearch.
It should work with something like this with OpenLDAP SASL and GSSAPI:

ldapsearch -b "dc=ad,dc=domain,dc=com" -h dc1.ad.domain.com -Y GSSAPI ...
where the domain name is ad.domain.com and one of the AD controllers
is dc1.ad.domain.com
Post by jeck
When I try to do so the "Server not found in Kerberos
database" error appears. I'm not quite sure, why. I have extracted a keytab
of the AD
What? Not sure what you mean here. Is the keytab for a user or the AD
controller itself? You should *not* need a keytab at all.
Post by jeck
and kinit seems to work fine for the same user as I want to use
with ldapsearch.
Usually a user with some AD administrative privilages.
Post by jeck
The hosts-files
What host files?
Post by jeck
are set up correctly (a ping on DNS-names
looks fine). There is nothing that indicates an error in the AD-logs (only
successful logons). Could anyone give me a hint, why I get this reaction?
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
jeck
2007-11-10 01:07:03 UTC
Permalink
Thank you for the fast reply!
Post by Douglas E. Engert
ldapsearch -b "dc=ad,dc=domain,dc=com" -h dc1.ad.domain.com -Y GSSAPI ...
where the domain name is ad.domain.com and one of the AD controllers
is dc1.ad.domain.com
That is exactly the way I tried it. GSSAPI exits with unkown GSS error, the
minor code is "Server not found in Kerberos database". And that is my
problem...
Post by Douglas E. Engert
You should *not* need a keytab at all.
I didn't know that... I tried with keytab and without. The result stays the
same.
Post by Douglas E. Engert
Post by jeck
and kinit seems to work fine for the same user as I want to use
with ldapsearch.
Usually a user with some AD administrative privilages.
Yes. When I use simple bind, the querry works for this user, so I think the
priviledges are ok.
Post by Douglas E. Engert
Post by jeck
The hosts-files
What host files?
The /etc/hosts files on both machines (well on Windows its
{WIN}\system32\etc\hosts). I mentioned this, because lots of solutions I
found, said, that my problem had something to do with DNS problems and
recomended to set up the /etc/hosts files manually. Unfortunatly it didn't
help in my case. I mentioned it, because I thought, that it would eliminate
the DNS-problem-option...

Maybe my point of view is not quite right to understand the problem... What
information could be of interest to understand and solve it?
--
View this message in context: http://www.nabble.com/Server-not-found-in-Kerberos-database-error-on-ldapsearch-tf4777894.html#a13678239
Sent from the Kerberos - General mailing list archive at Nabble.com.
Douglas E. Engert
2007-11-10 04:00:29 UTC
Permalink
Post by jeck
Thank you for the fast reply!
Post by Douglas E. Engert
ldapsearch -b "dc=ad,dc=domain,dc=com" -h dc1.ad.domain.com -Y GSSAPI ...
where the domain name is ad.domain.com and one of the AD controllers
is dc1.ad.domain.com
You can also try the -R REALM and -U=user options.
Post by jeck
That is exactly the way I tried it. GSSAPI exits with unkown GSS error, the
minor code is "Server not found in Kerberos database". And that is my
problem...
Post by Douglas E. Engert
You should *not* need a keytab at all.
I didn't know that... I tried with keytab and without. The result stays the
same.
Post by Douglas E. Engert
Post by jeck
and kinit seems to work fine for the same user as I want to use
with ldapsearch.
Usually a user with some AD administrative privilages.
Yes. When I use simple bind, the querry works for this user, so I think the
priviledges are ok.
Post by Douglas E. Engert
Post by jeck
The hosts-files
What host files?
The /etc/hosts files on both machines (well on Windows its
{WIN}\system32\etc\hosts). I mentioned this, because lots of solutions I
found, said, that my problem had something to do with DNS problems and
recomended to set up the /etc/hosts files manually. Unfortunatly it didn't
help in my case. I mentioned it, because I thought, that it would eliminate
the DNS-problem-option...
You should not need these.


Some things to try:

Wireshare or other trace program to see DNS and Kerberos requests.
This should show name of the "Server not found in Kerberos database"

On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf?
Is the default realm (in uppercase) the same as the AD domain name?
if not, you may need a krb5.conf, or the -R option on ldapsearch.

If AD is setup correctly, it should have DNS SRV records for Kerberos
and LDAP.

nslookup
set type=ANY
_kerberos._tcp.ad.domain.com
_ldap._tcp.ad.domain.com

This should show the FQDN of the servers, both Kerberos and LDAP.
Post by jeck
Maybe my point of view is not quite right to understand the problem... What
information could be of interest to understand and solve it?
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Zharovsky Evgeniy
2007-11-14 12:07:15 UTC
Permalink
Post by Douglas E. Engert
You should not need these.
Ok.
Post by Douglas E. Engert
Wireshare or other trace program to see DNS and Kerberos requests.
This should show name of the "Server not found in Kerberos database"
I captured the request dialog with wireshark and got this (the things I think
are important):

MSG Type: KRB-ERROR
Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EXAMPLE.COM
Server Name (Unknown): krbtgt/COM
Name-type: Unknown (0)
Name: krbtgt
Name: COM
I guess that indicates an error in my krbtgt setup. But where should I search
for it and what does the right setup look like?
Post by Douglas E. Engert
On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf?
Is the default realm (in uppercase) the same as the AD domain name?
if not, you may need a krb5.conf, or the -R option on ldapsearch.
Yes, I do have a krb5.conf on the unix side. Here it is:

[libdefaults]
default_realm=EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# v4_instance_resolve = false
# v4_name_convert = {
[realms]
EXAMPLE.COM = {
kdc = 192.168.10.4:88
admin_server = 192.168.10.4:749
}
[domain_realm]
.example.com = EXAMPLE.COM

As you can see, it is a setup for some tests...
-----------------

Evgeniy Zharovsky

Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen

email mailto:evgeniy.zharovsky at verwaltung.uni-muenchen.de
Douglas E. Engert
2007-11-14 15:38:30 UTC
Permalink
Post by Zharovsky Evgeniy
Post by Douglas E. Engert
You should not need these.
Ok.
Post by Douglas E. Engert
Wireshare or other trace program to see DNS and Kerberos requests.
This should show name of the "Server not found in Kerberos database"
I captured the request dialog with wireshark and got this (the things I think
MSG Type: KRB-ERROR
Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EXAMPLE.COM
Server Name (Unknown): krbtgt/COM
Name-type: Unknown (0)
Name: krbtgt
Name: COM
This looks like cross realm, where the client is working its way up the realm
tree to get the the realm of the server, say AD.DOMAIN.COM. Client is using TGT
from EXAMPLE.COM to get TGT for realm COM (which does not exist) If it did, it
would then try and get a TGT from COM for DOMAIN.COM, then get one from
AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM.

I thought you where trying to use Active Directory, and the domain name
was something like ad.domain.com. So why does you unix system have
a realm named EXAMPLE.COM? Have you setup cross realm trust between them?

If you are not using cross-real, then you should be using the AD domain name as
the realm name. It should have a realm named AD.DOMAIN.COM.

Either the user and server must be in the same realm, or you need cross realm
trust.

I am assuming that you do not wish to reveal the actual names of the host,
realms and AD domain you are using. This makes it very difficult to see what
the real problem is.
Post by Zharovsky Evgeniy
I guess that indicates an error in my krbtgt setup. But where should I search
for it and what does the right setup look like?
Post by Douglas E. Engert
On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf?
Is the default realm (in uppercase) the same as the AD domain name?
if not, you may need a krb5.conf, or the -R option on ldapsearch.
[libdefaults]
default_realm=EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# v4_instance_resolve = false
# v4_name_convert = {
[realms]
EXAMPLE.COM = {
kdc = 192.168.10.4:88
admin_server = 192.168.10.4:749
}
[domain_realm]
.example.com = EXAMPLE.COM
By default Kerberos will take a host name, and strip off the
short name, and use the domain name as a realm name for the host.
So add the other domains and or hosts here too.
Post by Zharovsky Evgeniy
As you can see, it is a setup for some tests...
-----------------
Evgeniy Zharovsky
Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen
email mailto:evgeniy.zharovsky at verwaltung.uni-muenchen.de
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Zharovsky Evgeniy
2007-11-16 14:05:47 UTC
Permalink
I don't know, if I got you right (I'm not quite good in networks and
especially AD; thats a new thing for me, so I'm a noob)
Post by Zharovsky Evgeniy
Post by Zharovsky Evgeniy
I captured the request dialog with wireshark and got this
(the things I think
Post by Zharovsky Evgeniy
MSG Type: KRB-ERROR
Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EXAMPLE.COM
Server Name (Unknown): krbtgt/COM
Name-type: Unknown (0)
Name: krbtgt
Name: COM
This looks like cross realm, where the client is working its
way up the realm
tree to get the the realm of the server, say AD.DOMAIN.COM.
Client is using TGT
from EXAMPLE.COM to get TGT for realm COM (which does not
exist) If it did, it
would then try and get a TGT from COM for DOMAIN.COM, then
get one from
AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM.
I thought you where trying to use Active Directory, and the
domain name
was something like ad.domain.com. So why does you unix system have
a realm named EXAMPLE.COM? Have you setup cross realm trust
between them?
If you are not using cross-real, then you should be using the
AD domain name as
the realm name. It should have a realm named AD.DOMAIN.COM.
Either the user and server must be in the same realm, or you
need cross realm
trust.
The domain/realm in AD is called example.com . My Unix-Client is
gate.exaple.com
On running 'kinit proxyuser'
(the proxyuser is mapped to gate.example.com as Microsoft docu suggested)
I get a ticket that looks like this

[me at gate ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: proxyuser at EXAMPLE.COM

Valid starting Expires Service principal
11/16/07 13:11:24 11/16/07 23:08:03 krbtgt/EXAMPLE.COM at EXAMPLE.COM
renew until 11/17/07 13:11:24


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

So I assumed the TGT-Server is krbtgt/EXAMPLE.COM at EXAMPLE.COM and works fine.
I don't get, why ldapsearch is looking for krbtgt/COM and not
krbtgt/EXAMPLE.COM at EXAMPLE.COM.

Should I rename the AD domain to ad.example.com or something like that? Is
that what you ment?
Post by Zharovsky Evgeniy
I am assuming that you do not wish to reveal the actual names
of the host,
realms and AD domain you are using. This makes it very
difficult to see what
the real problem is.
So what kind of setup do you think is good for such tests? The setup I got
here is described in Microsoft's Windows Security and Directory Services for
UNIX (Vol. 2) guide. It's the only documentation I got on this problem. Do
you have some links or other information I could have a look at? The problem
I need to solve is: I should setup a VPN-gate that is able to authenticate
and authorize a user by looking him up in AD. Authentication should be based
on Kerberos, authorization on LDAP-groups. It worked fine with PAM+Kerberos
and simple bind for LDAP. Now there came the requirement to have a secure
LDAP connection (over Kerberos). And that is what I'm dealing with now. The
test setup works as long as I do not try to authenticate my LDAP client over
Kerberos. And I don't get why this is something different, than authenticate
a user on the gate using PAM and Kerberos...
Post by Zharovsky Evgeniy
Post by Zharovsky Evgeniy
[libdefaults]
default_realm=EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# v4_instance_resolve = false
# v4_name_convert = {
[realms]
EXAMPLE.COM = {
kdc = 192.168.10.4:88
admin_server = 192.168.10.4:749
}
[domain_realm]
.example.com = EXAMPLE.COM
By default Kerberos will take a host name, and strip off the
short name, and use the domain name as a realm name for the host.
So add the other domains and or hosts here too.
What other domains do you mean? I have a UNIX client, which is
gate.example.com and an AD Server that is exapmle.com Maybe this is the
problem, because AD should be something like ad.example.com? Is that what you
ment above?


-----------------

Evgeniy Zharovsky

Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen

email mailto:evgeniy.zharovsky at verwaltung.uni-muenchen.de
Zharovsky Evgeniy
2007-11-16 15:31:07 UTC
Permalink
Ok, I got it now! I set up the AD server to run as ad.example.com and
replaced the ip's in my krb5.conf with dns names and now it works! Thank you
very much for your help. Still, if you have any howto on this topic (AD and
UNIX), I would apreciate if you could send me a link to it.
Evgeniy Zhaovsky (aka Jeck)

-----------------

Evgeniy Zharovsky

Ludwig-Maximilians-Universitaet
Ref. IIIA5 (Sicherheitstechnik und Verzeichnisdienste)
Martiusstr. 4 / 207
80539 Muenchen

email mailto:evgeniy.zharovsky at verwaltung.uni-muenchen.de

Loading...