0

I'm trying to write a kerberos aware application using the gssapi in c. I've been following the guides on this site, but I am getting stuck when calling gss_import_name with HOST/SERVER-NAME in my buffer..

I keep getting the error "Server not found in Kerberos database".

I'm trying to connect to a windows server from a linux box running Centos 6.5, using the preinstalled gssglue library. I followed this guide to connect my linux box to the windows domain. In a nutshell, I ran authconfig with a bunch of commands and then net ads join. I can successfully call kinit with my windows domain password, so I know I am authenticating through the domain.

How do I add this server to my Kerberos database?

Brian Schlenker
  • 4,966
  • 6
  • 31
  • 44

1 Answers1

1

Check, wether the SPN is really registered in the AD. Obviously it isn't, that's why it is failing. Edit: The formatted string you pass to gss_import_name is not correct. It does not look like with SSPI but it is different with GSS-API. Your call must look like this.

Community
  • 1
  • 1
Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • It works using the same principal name from windows to windows using the sspi. Does that necessarily mean the the SDN is registered? – Brian Schlenker Mar 27 '14 at 19:53
  • 1
    Yes, otherwise it would fail. Check the machine account. You might have a problem with reverse DNS also, because the default setting is to perform a reverse DNS lookup. – Michael-O Mar 27 '14 at 19:58
  • What do you mean by machine account? Also, I am able to do a reverse DNS lookup of the system I am trying to connect to, and from the system I am trying to connect to I can do a reverse DNS lookup of the connecting system. – Brian Schlenker Mar 28 '14 at 13:33
  • Did you check the AD for that `servicePrincipalName` if you cannot find it, enquire with your admin, if you can find it, you must sniff the traffic with Wireshark to find the root cause. This is what I am doing if in doubt. – Michael-O Mar 28 '14 at 14:14
  • Looking at the wireshark capture, It looks like my hostname is being added on to the end of the Kerberos TGS-REQ. It ends up sending HOST/{SERVER-NAME}.{MY-HOST-NAME}.{MY-DOMAIN}.org – Brian Schlenker Mar 28 '14 at 17:48
  • where as the SPN should look like `host/fqdn@REALM`. The name you pass to `gss_import_name` is *not* correct. See edit of my answer. – Michael-O Mar 28 '14 at 21:13
  • Thank you! Changing it from HOST/SERVER-NAME to HOST@SERVER-NAME did the trick. – Brian Schlenker Mar 31 '14 at 16:05