New Kerberos realm - principal only valid for user 2 user

Kernels & Hardware, configuring network, installing services

New Kerberos realm - principal only valid for user 2 user

Postby zenlord » 2020-07-15 15:22

Hi,
Topic says pretty much everything.
I have been managing our network for the past 10 years on the clientside and just installed my first server from scratch. Asterisk needs some love, but my main concern is Kerberos, which is only partly functioning:
* The users (managed in LDAP) can login from their laptops via SSSD perfectly fine: host/<fqdn>@REALM is working
* Mounting an NFS share fails with the error message that the 'Server principal is valid for user 2 user auth only'
* The same error message is returned if I try to rely on GSSAPI as the auth mechanism for IMAP.

I mainly stuck to online tutorials, inlcuding those by MIT and Red Hat, i.e.
1. On the server (kdc+kadmin in 1 machine) adding host/ , nfs/ and HTTP/ principals through kadmin (addprinc + ktadd)
2. On the clients doing exactly the same.

Frequently recurring issues with Kerberos have been checked:
* Time is synched via NTP
* KVNO numbers match between the server's keytab and the client's keytab.

I have not yet been able to find anything that explains this error, so I don't even understand how to start dealing with it. Does anyone here have a pointer?

Thx!
zenlord
 
Posts: 77
Joined: 2009-06-17 15:23

Re: New Kerberos realm - principal only valid for user 2 use

Postby pylkko » 2020-07-29 19:54

how does this relate to debian? Are you using Debian?

please link the tutorials that you are using.
User avatar
pylkko
 
Posts: 1780
Joined: 2014-11-06 19:02

Re: New Kerberos realm - principal only valid for user 2 use

Postby cuckooflew » 2020-07-29 23:50

---so I don't even understand how to start dealing with it. Does anyone here have a pointer?

Neither do I, but ,
If the OP is using Debian, or if it was me , I would start here:
https://wiki.debian.org/LDAP/Kerberos
Please Read What we expect you have already Done
Search Engines know a lot, and
"If God had wanted computers to work all the time, He wouldn't have invented RESET buttons"
and
Just say NO to help vampires!
cuckooflew
 
Posts: 683
Joined: 2018-05-10 19:34
Location: Some where out west

Re: New Kerberos realm - principal only valid for user 2 use

Postby zenlord » 2020-08-10 08:43

pylkko wrote:how does this relate to debian? Are you using Debian?

Yes. Buster on both server and all clients.
The clients had already been upgraded to Buster end of last year. When changing from the old server (Jessie) to the new one (Buster), this issue popped up. I'm fairly confident that all configuration files are identical on both servers, so I'm probably missing a setting that was introduced between Jessie (krb5-kdc 1.12.1) and Buster (v 1.17.3).

pylkko wrote:please link the tutorials that you are using.

https://web.mit.edu/kerberos/krb5-latest/doc/
and
https://access.redhat.com/documentation ... g_kerberos
(I believe I did also read through the Ubuntu documentation)

The Debian wiki does not have any recent information on how to set up Kerberos.

Thank you,
Vincent
zenlord
 
Posts: 77
Joined: 2009-06-17 15:23


Return to System configuration

Who is online

Users browsing this forum: No registered users and 18 guests

fashionable