25

I'm developing using the GSSAPI, and I have code which works with a vanilla MIT Kerberos 5 server to do some client/server work. I'm now verifying it's functionality against Active Directory and I've hit an issue.

I have my server authenticated and listening. I can get the client to login. For the record, this is code based off of http://thejavamonkey.blogspot.com/2008/04/clientserver-hello-world-in-kerberos.html. However, I cannot get the client to get the ticket back from AD to get the session between it and the server. I get KrbException: Server not found in Kerberos database (7), and I cannot figure out where the proper place is to add it. I've tried putting the server name with ip in the hosts file, updating dns, putting in server records, etc, with no luck.

If anyone knows where the proper place is to update AD to set a server in the Kerberos Database, that would be great!

Michael-O
  • 18,123
  • 6
  • 55
  • 121
ohshazbot
  • 894
  • 3
  • 8
  • 16

10 Answers10

22

This exception comes from the client, right? Please perform a forward and reverse DNS lookup of the server hostname. Your server has incorrect DNS entries. They are absolutely crucial for Kerberos. The proper place is your DNS server, in your case: domain controller. Figure out the IP address of your DNS server and contact your admin. The other option is a missing SPN, please check that too.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • This is on the client side in a development setup. I have the AD server set in my /etc/hosts file. Both the client and server code I'm testing on are on the same box. I have set the AD system's HOSTS file to point to the dev system in a multitude of ways (hostname, hostname.REALM, etc). I cannot figure out how to add the dev system to the AD DNS, if that was specifically the issue. – ohshazbot Dec 13 '12 at 18:45
  • There is no need to tamper the hosts file if your DNs is fine. Again, nag your admin your DNS entries are broken. It is his task to fix this. Use wireshark to inspect DNS lookups. – Michael-O Dec 13 '12 at 22:04
  • There is no system administrator, I am working on a development system with a windows AD system running in a VM. My dev system has the hosts set up properly. I tried setting the windows HOSTS file and AD DNS entry, to no avail. – ohshazbot Dec 13 '12 at 22:36
  • What do you receive if you perform from Windows: `nslookup hostname` and `nslookup ip`? – Michael-O Dec 13 '12 at 22:39
  • nslookup of the hostname finds it with the realm name attached, with the proper ip. nslookup of the ip fails. It is using the localhost as the DNS source. – ohshazbot Dec 13 '12 at 22:51
  • Reverse DNS MUST work too. Configure reserse lookup zone records `PTR` in your DNS please. – Michael-O Dec 14 '12 at 07:15
  • I set up a reverse zone and added the reverse pointer to nslookup ip works, but still no luck. If I switch the name I'm trying to connect to the AD hostname, the initialization context goes through. Which is a bit interesting, as with MIT Kerberos I could just use any identity which existed in krb. – ohshazbot Dec 14 '12 at 17:30
  • Now you should use Wireshark for further analysis. – Michael-O Dec 14 '12 at 19:37
  • Is there anything specific I should be looking for? The messages really don't make me feel like it's any sort of networking issue. It seems like an AD issue, as I've had this code working against MIT Kerberos for some time. Or perhaps do you know if it's possible to ramp up the debug in AD to give relevant information? – ohshazbot Dec 14 '12 at 22:43
  • I cannot exactly tell w/o seeing the Wireshark dump. I am not keep in administrating the AD, just keen with Kerberos. You should check how the Kerberos comm looks like. – Michael-O Dec 15 '12 at 09:52
  • @Michael-O I have got the same problem. Iam trying to set up Kerberos on Hadoop cluster. Below given are the details of Hadoop Cluster. Ip and RPC port number of Namenode - hdfs://localhost:54310 – Jon Andrews Jun 07 '18 at 05:40
  • @Michael-O . I have checked forward and reverse lookup for server name. I have an issue with reverse lookup [root@env40-node1 ~]# nslookup 192.168.150.95 Server: 192.168.150.161 Address: 192.168.150.161#53 ** server can't find 95.150.168.192.in-addr.arpa.: NXDOMAIN – Jon Andrews Jun 07 '18 at 06:40
  • @Michael-O Reverse DNS is not working in my case. Please kindly help – Jon Andrews Jun 07 '18 at 07:10
  • @BasilPaul Don't use reverse DNS. Disable it in your `krb5.conf`. – Michael-O Jun 07 '18 at 07:22
  • @Michael-O Okay – Jon Andrews Jun 07 '18 at 07:23
  • @Michael-O How should I disable it. I didnt find any entry fo reverse DNS? – Jon Andrews Jun 07 '18 at 07:24
  • See https://web.mit.edu/kerberos/krb5-1.16/doc/admin/conf_files/krb5_conf.html for `dns_canonicalize_hostname` and `rdns` to false. – Michael-O Jun 07 '18 at 07:27
  • rdns has value "false" – Jon Andrews Jun 07 '18 at 07:31
  • @Michael-O Could you provide some insights on the issue if you dont mind. Iam installing this for the first time. Kindly help – Jon Andrews Jun 07 '18 at 08:58
  • @BasilPaul if your SPN is correctly registered, I won' be able to help w/o a Wireshark dump. What is the registered SPN and the one requested by the client? – Michael-O Jun 07 '18 at 09:03
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/172667/discussion-between-basil-paul-and-michael-o). – Jon Andrews Jun 07 '18 at 09:40
15

I hope this helps .. I got this same error message (Server not found in Kerberos database (7)) but this occurs after the successful use of the keytab to login.

The error message occurs when we attempt to use the credentials to do LDAP searches against AD.

This has only started happening since java 1.6.0_34 - it worked with 1.6.0_31 which I think was previous release. The error occurs because the java doesn't trust that the KDC it is communicating with for LDAP is actually part of the Kerberos realm. In our case, I think it is because the LDAP connection is made with the server name found via the round-robin'd resolved query. That is, java resolves realm.example.com, but gets any one of kdc1.example.com or kdc2.example .com ..etc). They must have tightened the checking betweeen these releases.

In our case the problem was worked around by setting the ldap server name directly rather than relying on DNS.

But investigations continue.

Matthew Hannigan
  • 1,487
  • 1
  • 14
  • 17
14

In my case, it's caused by wrong configuration of the requested server's address.

The server address should be an FQDN (fully qualified domain name).

FQDN is always required by Kerberos.

Nicholas DiPiazza
  • 10,029
  • 11
  • 83
  • 152
secfree
  • 4,357
  • 2
  • 28
  • 36
4

This looks like a missing SPN issue. The website you had pointed to has 

principal="webserver/bully@EXAMPLE.COM"

This is the principal for which the ticket would be obtained. Did you change this to a value relative to your AD domain?

You could use the command line kerberos tools to test if you have the SPN defined:

[root@gen-cs218 bin]# kinit Administrator
Administrator@SIGNING.TEST's Password:
[root@gen-cs218 bin]# kgetcred host/tcfe102@SIGNING.TEST
[root@gen-cs218 bin]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@SIGNING.TEST

  Issued                Expires               Principal <br>
Dec 15 11:42:34 2012  Dec 15 21:42:34 2012  krbtgt/SIGNING.TEST@SIGNING.TEST
Dec 15 11:42:48 2012  Dec 15 21:42:34 2012  host/tcfe102@SIGNING.TEST

Hostname based SPNs are pre-defined. If you want to use a SPN that is not pre-defined you will have to explicitly define it in AD using the setspn.exe tool and associate it with either a computer or an user account, for example:

c:\> setspn.exe -A "webserver/bully@MYDOMAIN" myuser

You can check which account a SPN is associated with by using the command below. This will not show pre-defined SPNs.

c:\> setspn.exe -L "webserver/bully@MYDOMAIN"
mrsrinivas
  • 34,112
  • 13
  • 125
  • 125
kvthanga
  • 49
  • 1
1

"Server not found in Kerberos database" error can happen if you have registered the SPN to multiple users/computers.

You can check that with:

$ SetSPN -Q ServicePrincipalName
( SetSPN -Q HTTP/my.server.local@MYDOMAIN )
slm
  • 15,396
  • 12
  • 109
  • 124
vandor76
  • 19
  • 1
1

sqlcmd works, System.Data.SqlClient not working - Server not found in Kerberos database. You should add RestrictedKrbHost SPN

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/445e4499-7e49-4f2a-8d82-aaf2d1ee3c47

5.1.2 SPNs with Serviceclass Equal to "RestrictedKrbHost"

Supporting the "RestrictedKrbHost" service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name. This does not provide client-to-service mutual authentication, but rather client-to-server computer authentication. Services of different privilege levels have the same session key and could decrypt each other's data if the underlying service does not ensure that data cannot be accessed by higher services.

ztf
  • 11
  • 2
1

Just if someone has a similar setup...

  1. I was setting up an windows active directory (AD) server under Windows Server 19 similar to this tutorial
  2. And wanted to authenticate a Debian client against it (with sssd), using this tutorial.

I got the error message ...

msktutil: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

... when I tried to add my client machine as a COMPUTER to the AD:

msktutil -N -c -b 'CN=COMPUTERS' -s DEBIAN/debian.ad.local -k my-keytab.keytab --computer-name DEBIAN --upn DEBIAN$ --server winserv19.ad.local --user-creds-only

Could fix the error by:

  1. Adding of course the DNS server IP to the /etc/resolv.conf
  2. Adding a reverse lookup zone on to the DNS Server (running also on the Win Serv 19, next to AD DS) Windows Server 19 DNS Reverse Lookup Zone
  3. Activating the Update associated pointer (PTR) record option in the forward lookup entries on the win DNS server Windows Server 19 DNS A Record PTR Option
Raymondo Ponte
  • 81
  • 4
0

In my case, My principal was kafka/kafka.niroshan.com@NIROSHAN.COM I got below lines in the terminal:

>>> KrbKdcReq send: #bytes read=190
>>> KdcAccessibility: remove kerberos.niroshan.com
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
         cTime is Thu Oct 05 03:42:15 UTC 1995 812864535000
         sTime is Fri May 31 06:43:38 UTC 2019 1559285018000
         suSec is 111309
         error code is 7
         error Message is Server not found in Kerberos database
         cname is kafka/kafka.niroshan.com@NIROSHAN.COM
         sname is kafka/kafka.com@NIROSHAN.COM
         msgType is 30

After hours of checking, I just found the below line has a wrong value in kafka_2.12-2.2.0/server.properties

listeners=SASL_PLAINTEXT://kafka.com:9092

Also I got two entries of kafka.niroshan.com and kafka.com for same IP address.

I changed it to as listeners=SASL_PLAINTEXT://kafka.niroshan.com:9092 Then it worked!

According to the below link, the principal should contain the Fully Qualified Domain Name (FQDN) of each host and it should be matched with the principal.

https://docs.oracle.com/cd/E19253-01/816-4557/planning-25/index.html

NiroshanJ
  • 558
  • 1
  • 5
  • 20
0

You would be surprised if I told you that I received this error when the UPN search was not returning any entry, meaning the user is not found, instead of getting a clear indication that the query returned no items.

So I recommend revising your query part or using AdExplorer to make sure that the users/groups you are looking for are reachable by the query you are using (depending on what you are using as an attribute for search sAMAccount, userPrincipalName, CN, DN).

Please note this can also happen when the AD you are connecting to is trying to find that user in another AD instance that your machine could not reach as part of your connections settings to that initial AD instance.

params.put(Context.REFERRAL, "follow");
Jalal Sordo
  • 1,605
  • 3
  • 41
  • 68
-6

Consider adding

[appdefaults]
validate=false

to your /etc/krb5.conf. This can work around mismatching DNS.

fche
  • 2,641
  • 20
  • 28