Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Why "unknown server in kerberos database" for the same principal from 2 different hosts?

Highlighted

Why "unknown server in kerberos database" for the same principal from 2 different hosts?

New Contributor

Hi!

 

I need help to understand why the same principal works fine for an host but not for another, both in the same realm (let's call it HDX), when they try to authenticate to KDC in another realm (let's call it HDY)

 

The principal is like this: user/HDY@HDY, and it is used to authenticate a host (host1) from HDX realm in HDY realm.

Everything works fine for this host, so I copied the keytab with the principal to another host (host2).

Host1 authenticates for krbtgt/HDY@HDY, instead host2 tries to obtain krbtgt/HDX@HDY

and receives the following error:

 

UNKNOWN_SERVER: authtime 0, user/HDY@HDY for krbtgt/HDX@HDY, Server not found in Kerberos database.

 

This is clear, because in KDC database there is only krbtgt/HDY@HDY, not krbtgt/HDX@HDY. It is not clear to me why host1 can obtain the ticket instead host2 cannot. 

 

I hope you can help me, Iet me know if you need further informations from me

 

Thanks a lot

1 REPLY 1
Highlighted

Re: Why "unknown server in kerberos database" for the same principal from 2 different hosts?

Explorer

Hello there,

What happens when you try a manual kinit on host2 with explicitly specifying the principal and the realm, ie:

kinit -kt keytab.file -p user/HDY@HDY

Also, could you share your krb5.conf files from both hosts, as well as the list of keys stored in the keytab you exported (klist -kt keytab.file)? Without this information it's a bit hard to analyze this issue.

Kind regards,

Julius 

Don't have an account?
Coming from Hortonworks? Activate your account here