Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos "Server not found" : ksu generating unknown service name principal.

Labels:
avatar
author-rank mister_letaz
Explorer

Created ‎02-20-2019 05:16 PM

Hi community,

I am studying ksu for some use cases and found this link:

https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/ksu.html


I have a user1 with KDC entry and keytab. Just before running ksu, I kinit user1 to get Kerberos ticket:

[user1@server1 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_1003293697

Default principal: user1@EXAMPLE.COM

Valid starting Expires Service principal

02/18/2019 09:13:12 02/19/2019 09:13:12 krbtgt/EXAMPLE.COM@EXAMPLE.COM


Then, I want user1 to ksu user2. For this to work, I have created a .k5login file on user2 home directory with user1@EXAMPLE.COM on its content.

Than, I launch ksu with user1 but found this issue:

[user1@server1 ~]$ ksu user2

ksu: Server not found in Kerberos database while verifying ticket for server

Authentication failed.


Looking for an error on /var/log/krb5kdc.log, I found that one:

UNKNOWN_SERVER: authtime 0, user1@EXAMPLE.COM for krbtgt/UNKNOWN_DOMAIN@EXAMPLE.COM, Server not found in Kerberos database


As the error states, service principal name krbtgt/UNKNOWN_DOMAIN@EXAMPLE.COM is unknown to KDC database, which is right. The problem is I expected the SPN to be krbtgt/EXAMPLE.COM@EXAMPLE.COM, just like what I can see on my user1 klist.

As I don't really know how to fix this, does someone have an idea on this, please ?

On different website and forums, it talks about FQDN, reverse DNS and some /etc/hosts and /etc/resolv.conf configurations but none solved my issue.


Thank you on advance for your help.

16,900 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank mister_letaz
Explorer

Created ‎03-27-2019 08:07 AM

Hi community,


I've fixed the issue by adding bellow Kerberos host principal to file /etc/krb5.keytab:

host/fqdn_hostname@REALM.


The one that was previously set did not my match my environment configuration: host/UNKNOWN_DOMAIN@UNKNOWN_REALM

View solution in original post

16,729 Views
0 Kudos
9 REPLIES 9

avatar
author-rank gorkazar7
Explorer

Created ‎02-20-2019 05:16 PM

I had got a similir problem and the solution was to change the /etc/hosts. With this change i was able to find the kerberos server.

16,729 Views
0 Kudos

avatar
author-rank mister_letaz
Explorer

Created ‎02-20-2019 05:16 PM

Can you please be more precise on how to change that file ?

16,729 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎02-20-2019 05:16 PM

@Pirlouis Pirlouis

I have no experience with ksu, but can you post the krb5.conf file. Maybe there is an issue in there. For example, is there a default realm specified?

16,729 Views
0 Kudos

avatar
author-rank mister_letaz
Explorer

Created ‎02-20-2019 05:16 PM

Here is my krb5.conf - for security purposes, I do not provide my environment real values but be sure that it matches EXAMPLE.COM and UNKNOWN_DOMAIN.


includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/


[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_realm = true

dns_lookup_kdc = true

rdns = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

udp_preference_limit = 0

default_ccache_name = /tmp/krb5cc_%{uid}


[logging]

default = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log


[realms]

UNKNOWN_DOMAIN = {

pkinit_anchors = FILE:/etc/ipa/ca.crt


}

EXAMPLE.COM = {

admin_server = myadmin.server.com

kdc = myadmin.server.com

}


[domain_realm]

.unknown_domain = UNKNOWN_DOMAIN

unknown_domain = UNKNOWN_DOMAIN


16,729 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎02-20-2019 05:34 PM

Typically I have the DNS options turned off

dns_lookup_realm = true
dns_lookup_kdc = true

If you do not need DNS lookup features, I would turn this off. Else make sure your DNS is set up correctly for this.


The domain_realm block seems to ve missing the EXAMPLE.COM realm

[domain_realm]
.unknown_domain = UNKNOWN_DOMAIN
unknown_domain = UNKNOWN_DOMAIN


Maybe change it to something like

[domain_realm]
.unknown_domain = UNKNOWN_DOMAIN
unknown_domain = UNKNOWN_DOMAIN
.server.com = EXAMPLE.COM
server.com = EXAMPLE.COM


16,729 Views
0 Kudos

avatar
author-rank mister_letaz
Explorer

Created ‎02-21-2019 08:27 AM

Thanks for your reply but still getting the issue with your settings.

16,729 Views
0 Kudos

avatar
author-rank gorkazar7
Explorer

Created ‎02-21-2019 08:17 AM

Try to put in /etc/hosts your ip


Your_IP UNKNOWN_DOMAIN



16,729 Views
0 Kudos

avatar
author-rank mister_letaz
Explorer

Created ‎03-12-2019 04:01 PM

Hi guys,

I found an environment where ksu works. My issue seems to be related to some sssd configuration but still did not ended to solve this issue.

Does it remind you of something regarding sssd configuration ?

Thank you.

16,729 Views
0 Kudos

avatar
author-rank mister_letaz
Explorer

Created ‎03-27-2019 08:07 AM

Hi community,


I've fixed the issue by adding bellow Kerberos host principal to file /etc/krb5.keytab:

host/fqdn_hostname@REALM.


The one that was previously set did not my match my environment configuration: host/UNKNOWN_DOMAIN@UNKNOWN_REALM

16,730 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements