Imagine the following scenario:
Within a domain-network you want to provide a service, that can only be accessed by your domain-users, without them having to login. Take for example Typo3 on a host running linux with Apache. The required modules and libraries for apache and kerberos have already been installed and configured and you are currently trying to get kerberos to work. A domain-account has been created and a keytab was provided for the linux-host to use.
But if kinit now keeps displaying the error “Client not found in kerberos database” this can have several reasons. The Linux-Host could have a wrong hostname. So if for example the principal in the keytab was created for HTTP/cms.example.org@EXAMPLE.ORG but the Linux-Host has the hostname typo3.example.org the above error-message can be displayed.
Also, general typos while creating the keytab can be responsible. But if you have already ruled out such mostly easy to spot mistakes, then most of the time the Windows Event Log on the KDC can help. If you for example find the event ID 11 with source KDC saying “There are multiple accounts with name HTTP/cms.example.org of type DS_SERVICE_PRINCIPAL_NAME.” what exactly does that mean? It means that the principal that you created has been asssigned to multiple accounts.
A principal for a service is assigned to an account using the attribute servicePrincipalName of that account. So you can assign the same principal to multiple accounts which is not allowed. Such a mistake can be corrected using LDP. You just look for the accounts in question and remove the attribute servicePrincipalName from those accounts where you don’t need it (anymore). Using LDP the filter servicePrincipalName=HTTP/cms* with BaseDN DC=example,DC=org. After correcting the attributes you can simply try to get a ticket using kinit.
Leave a Reply
You must be logged in to post a comment.