Server not found in Kerberos database

Bl Code tags

Table of Contents

Toggle

Does Kerberos require Active Directory?

The Kerberos authentication client is implemented as a conforming security support provider (SSP) and is likely to be invoked through a security support provider interface (SSPI). Free implementations of Kerberos require an Active Directory server.

~~~
Code between tildes is easier to read
~~~

Links/URLs

[Red Hat Customer Portal](https://access.redhat.com)

Hello

First some functions that work:
– Nifi cluster running on 3 (with Apache Upstream V1.1.2 node) Centos on 6
-Login Identity Contributor uses Kerberos and works A1 using only username and password fields in the UI or via API.
– Once I receive the API with username and password, I can challenge the API without any problems.
-KDC is only Active Directory
– The service uses nifi.kerberos.service.principal for “serviceaccount@DOMAIN.ORG” with the appropriate keymap.

I’m currently working on a small POC where I choose a script to use an API to interact with some of these threads. Since I don’t need to store the username and username to use the script, I wanted to set up SPNEGO and just use a simple “kinit” with keytab and get an API access token with something like 1. “curl –negotiate -X POST -v -oughout: https://myhost.mydomain.org:8989/nifi-api/access/kerberos”

Steps I followed:
1-Create 9 new accountsEntities in AD with a login (primary) named “HTTP/myhost.mydomain.org”. One for each of my machines.
2-Created a keytab for each of these machines using ktutil. This has been tested using kinit HTTP/myhost.mydomain.org@DOMAIN.ORG and they work too.
3- Configure 3 SPNEGO properties in nifi.properties:
-nifi.kerberos.spnego.principal=HTTP/myhost.mydomain.org@DOMAIN.ORG
-nifi.kerberos.spnego.keytab.location=[the_location_of_the_key_tab]
-nifi.kerberos.spnego.authentication.expiration=12 hours

After restarting the service, I try the curl request mentioned above and get the following errors:

curl --negotiate -X POST -v -u like https://myhost.mydomain.org:8989/nifi-api/access/kerberos
* About connect() to connector myhost.mydomain.org 8989 (#0)
* Try [îp address]... connected
* Connected to myhost.mydomain.org ([îp address]), port 8989 (#0)
* NSS initialization with certpath: sql:/etc/pki/nssdb
* CA file: [edited]
  CApath: no
* NSS: certificate not found (actually alias provided)
* SSL connection with [edited]
* Server certificate:
* [edited]
> POST /nifi-api/access/kerberos HTTP/1.1
> User agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: myhost.mydomain.org:8989
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Thursday, 10 aAugust 2017 17:10:41 GMT
* gss_init_sec_context() bad::Server not found in Kerberos databaseWWW-Authenticate:Negotiate
< Content Type: Text/Plain



Is server not found in Kerberos database?
The "Server not found for Kerberos database" error can occur if you directly registered an SPN for multiple users/computers. Support for the RestrictedKrbHost plan class allows client applications to switch Kerberos authentication when they don't necessarily have a capability ID but have a How To Resolve Open Directory Server Not Found In Kerberos Database name.


I was wondering what was missing. DNS and Reverse DNS are created correctly, and everything else works well (like HUE, also with SPNEGO using the same method).

Weblogic 12.2.1.4 when running a full Windows 10 machine connected to a suitable directory.


JVM 1.8.0_281
Java web application has always used Java using GSSAPI to access file share type via Samba using basically all code from https://github.com/hierynomus/smbj/issues/304#, comment on issue - 375603115.

This is an agency mechanism: the Java system attribute "user.name" specifies the developer's Windows username.


A Linux file server running Red Enterprise has Linux 7 configured with sssd to communicate with Active Directory
Linux file server running Red Enterprise running Linux 6 that doesn't use sssd, doesn't use winbind (policies not clear, fine tuned for)  Active Directory)

As far as I've been able to gather third-party sysadmin conversations, MIT Kerberos is involved in some way in connecting Linux servers to Active Directory, but I don't have any further information on this.


How do I add a server to my Kerberos database?
domain name = EXAMPLE.COM.

DNS domain name = example.com.

The main KDC means kdc1.example.com.

Slave KDC = kdc2.example.com.

The NFS server is denver.example.com.

Client = client.example.com.

main admin kws/admin.

primary user = mre.


(Note: in the event of a server error, the rendering of the markdown tables will matter randomly - the table renders correctly in the preview, unfortunately not in the actual question posted, it's embedded in a code block like today, so not everything works together) 
| Source (all on exact Windows 10 machine) | target file server | Result |
|------------------------------------------------- ---------|----- - ----- -------------|---------|
| Weblogic Application | RHEL6 | success |
| Weblogic Form Submission | RHEL7 | **Error:** the server is usually not in Kerberos |
| Windows Explorer Database | RHEL6 | success |
| Windows Explorer | RHEL7 | success |

Weblogic trace result (after setting Java system hosts sun.security.krb5.debug to Are:

KrbAsReqBuild: true) PREAUTH FAILED/REQ, return AS-REQ
Using built-in etypes by default, svrelated to default_tkt_enctypes
Default enctypes for default_tkt_enctypes: 18 to seventeen 16 23
Using default built-in etypes relative to default_tkt_enctypes
Default enctypes for default_tkt_enctypes: 18 21 16 23
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> Production message KrbAsReq
get KDCFromDNS using UDP
>>> Send KrbKdcReq: kdc=******************. UDP: 88 Timeout = 30000 Retries = 3 # bytes = 233
>>> KDC connection: kdc=***************. UDP: 88, = 1, timeout = 30000, try # bytes = 233
>>> Send KrbKdcReq: #bytes read=100
>>> Send KrbKdcReq: kdc=********************. TCP: 88, timeout = 30000, large padding = 3, # bytes = 233
>>> KDC connection: kdc=******************. TCP:88, timeout=30000, attempt=1, #bytes=233
>>> DEBUG: tcpclient read 2695 bytes
>>>Send KrbKdcReq: #bytes read=2695
>>>KdcAccessibility:facilitate **********************.:88
>>>Etype: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>KrbAsRep counter in KrbAsReq.getReply ******
Ticket *****@********* for successful transition to krbtgt/*****@****** expires ******
Enter Krb5Context.initSecContext with state = STATE_NEW.
Found ticket for *****@********** at krbtgt/****@*************, expires ******
Service price tag not found in topic
>>>CredsSingle Credential Service: same domain
Using built-in bypassenctypes for default_tgs_enctypes
Default electron types for default_tgs_enctypes: 17 16 23
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
get KDCFromDNS using UDP
>>> Send KrbKdcReq: kdc=***************. TCP: 88, timeout=30000, retries=3, # bytes=2633
>>> KDC connection: kdc=***************. TCP:88, timeout=30000, attempt=1, #bytes=2633
>>> DEBUG: TCPClient 104 checking bytes
>>> Send KrbKdcReq: #bytes read=104
>>> Remove KdcAccessibility: *************.:88
>>> KDCRep: init() encoding mark 126, request type 13
>>>KRBError:
        Time **********
        suSec is really **********
        The error code is actually 7
        Error message: Server not found in Kerberos database
        name cifs/***************@************
        msgType was 30

Searching for “Server not found in Kerberos database” opens up a number of possibilities (DNS seems to be a common suggestion, other answers mean SPN records, TLS certificates, not working with FQDN, invalid domain-map host, host not part of a domain, IPv4 or IPv6)