Support Questions

Find answers, ask questions, and share your expertise

Kerberos "Server not found" : ksu generating unknown service name principal.

avatar

Hi community,

I am studying ksu for some use cases and found this link:

https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/ksu.html


I have a user1 with KDC entry and keytab. Just before running ksu, I kinit user1 to get Kerberos ticket:

[user1@server1 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_1003293697

Default principal: user1@EXAMPLE.COM

Valid starting Expires Service principal

02/18/2019 09:13:12 02/19/2019 09:13:12 krbtgt/EXAMPLE.COM@EXAMPLE.COM


Then, I want user1 to ksu user2. For this to work, I have created a .k5login file on user2 home directory with user1@EXAMPLE.COM on its content.

Than, I launch ksu with user1 but found this issue:

[user1@server1 ~]$ ksu user2

ksu: Server not found in Kerberos database while verifying ticket for server

Authentication failed.


Looking for an error on /var/log/krb5kdc.log, I found that one:

UNKNOWN_SERVER: authtime 0, user1@EXAMPLE.COM for krbtgt/UNKNOWN_DOMAIN@EXAMPLE.COM, Server not found in Kerberos database


As the error states, service principal name krbtgt/UNKNOWN_DOMAIN@EXAMPLE.COM is unknown to KDC database, which is right. The problem is I expected the SPN to be krbtgt/EXAMPLE.COM@EXAMPLE.COM, just like what I can see on my user1 klist.

As I don't really know how to fix this, does someone have an idea on this, please ?

On different website and forums, it talks about FQDN, reverse DNS and some /etc/hosts and /etc/resolv.conf configurations but none solved my issue.


Thank you on advance for your help.

1 ACCEPTED SOLUTION

avatar

Hi community,


I've fixed the issue by adding bellow Kerberos host principal to file /etc/krb5.keytab:

host/fqdn_hostname@REALM.


The one that was previously set did not my match my environment configuration: host/UNKNOWN_DOMAIN@UNKNOWN_REALM

View solution in original post

9 REPLIES 9

avatar
Explorer

I had got a similir problem and the solution was to change the /etc/hosts. With this change i was able to find the kerberos server.

avatar

Can you please be more precise on how to change that file ?

avatar

@Pirlouis Pirlouis

I have no experience with ksu, but can you post the krb5.conf file. Maybe there is an issue in there. For example, is there a default realm specified?

avatar

Here is my krb5.conf - for security purposes, I do not provide my environment real values but be sure that it matches EXAMPLE.COM and UNKNOWN_DOMAIN.


includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/


[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_realm = true

dns_lookup_kdc = true

rdns = false

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

udp_preference_limit = 0

default_ccache_name = /tmp/krb5cc_%{uid}


[logging]

default = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log


[realms]

UNKNOWN_DOMAIN = {

pkinit_anchors = FILE:/etc/ipa/ca.crt


}

EXAMPLE.COM = {

admin_server = myadmin.server.com

kdc = myadmin.server.com

}


[domain_realm]

.unknown_domain = UNKNOWN_DOMAIN

unknown_domain = UNKNOWN_DOMAIN


avatar

Typically I have the DNS options turned off

dns_lookup_realm = true
dns_lookup_kdc = true

If you do not need DNS lookup features, I would turn this off. Else make sure your DNS is set up correctly for this.


The domain_realm block seems to ve missing the EXAMPLE.COM realm

[domain_realm]
.unknown_domain = UNKNOWN_DOMAIN
unknown_domain = UNKNOWN_DOMAIN


Maybe change it to something like

[domain_realm]
.unknown_domain = UNKNOWN_DOMAIN
unknown_domain = UNKNOWN_DOMAIN
.server.com = EXAMPLE.COM
server.com = EXAMPLE.COM


avatar

Thanks for your reply but still getting the issue with your settings.

avatar
Explorer

Try to put in /etc/hosts your ip


Your_IP UNKNOWN_DOMAIN



avatar

Hi guys,

I found an environment where ksu works. My issue seems to be related to some sssd configuration but still did not ended to solve this issue.

Does it remind you of something regarding sssd configuration ?

Thank you.

avatar

Hi community,


I've fixed the issue by adding bellow Kerberos host principal to file /etc/krb5.keytab:

host/fqdn_hostname@REALM.


The one that was previously set did not my match my environment configuration: host/UNKNOWN_DOMAIN@UNKNOWN_REALM