Kerberos: The Definitive Guide

Server Hostname Misconfiguration

Undoubtedly, you’ll find yourself in the following situation. You’ve just installed Kerberos 5; your KDC works, as you can acquire tickets for your user principal. You’ve dutifully established a host principal for your test application server, and you’re ready to test the first application.

Your shell output looks something like this:

> hostname
freebsd.wedgie.org
> klist
Ticket cache: FILE:/tmp/krb5cc_p82191
Default principal: jgarman@WEDGIE.ORG

Valid starting     Expires            Service principal
01/29/03 04:52:21  01/29/03 10:30:11  krbtgt/WEDGIE.ORG@WEDGIE.ORG


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
> ftp freebsd
Connected to localhost.
220 freebsd.wedgie.org FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Server not found in Kerberos database
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (localhost:jgarman): 
331 Password required for jgarman.
Password:

What just happened? It should work, after all. Let’s double-check the principals in our Kerberos database:

% kadmin Authenticating as principal jgarman/admin@WEDGIE.ORG with password. Enter password: kadmin: listprincs K/M@WEDGIE.ORG host/freebsd.wedgie.org@WEDGIE.ORG ...

Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Kerberos: The Definitive Guide by Jason Garman

Server Hostname Misconfiguration

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly