kinit(v5): Client not found in Kerberos database while getting initial credentials

active-directory kerberos obiee
user3714699 picture user3714699 · Oct 8, 2014 · Viewed 29.7k times · Source

I'm working on configuring SSO in obiee 11.1.1.7.14, where in which I'm facing issue in the step while configuring krb5.conf and executing the kinit command.

few notes regarding the Active Directory

  • we have more than one domain controller and to balance the request we are maintaing the load balancer with port 3269.
  • And the integration between obiee and MSAD is successfully done with the load balancer name as host and port as 3269.
  • and few certificates have been added in the demotrust.jks and to the ovd store and SSL is enabled in the new provider.
  • Keytab file generated and placed in obiee domain home, krb5.conf and krb5Login.conf file modified accordingly.

I have created the keytab file and placed it in the obiee domain home, then modified the krb5.conf by keeping kdc as the one of the ip address of the domain controller and admin-server as the name of the domain controller. And while executing the

kinit -V -k -t /location/keytabfile.keytab HTTP/obiee_host_name

i have got and error "kinit(v5): Client not found in Kerberos database while getting initial credentials" . Please share your ideas/suggestions to solve this issue.

thanks in advance

Answer

user3714699 picture user3714699 · Nov 14, 2014

Thanks Michael-O for your reply.

Before going to the solution, I would like to post few information regarding the kind of Active Directory Server and the way we have connected.

We have a Active Directory server where 2 domain controllers are used for it. And a load balancer with port 3269 is used to connect to the Active directory from OBIEE and similar connections can be used in the krb5.conf and where ever required. And consider the base domain as DOM1 and all our groups are created under sub- domain SUBDOM. So the SPN is set at the SUBDOM.DOM1.COM.

Here are the few suggestions we have followed to integrate AD with OBIEE and Solved the most of the kinit issues

  1. Instead of specfying the prinicpal name with the abosoute path, just mention with the accout_name@FullyQualifiedDomainName.

  2. Changes in KRB5.conf

    a) Since the attribute "crypto" is specfied as "all" while creating keytab and setting the SPN, all the encryption types which is present in the keytab file as to be mentioned in the krb5.conf (default_tkt_enctypes and default_tgs_enctypes).

    b) Have included the primary domain controller ip address for the attribute kdc in [realms] section, this will be same as Michael-O specfied in point 2.

    c) in [domain_realm] of krb5.conf keep as .subdom.dom1.com=DOM1.COM.

    d) include the host name of loadbalancer name in the admin_server attribute of [realms] section in krb5.conf

once all the above changes are done, most of the kinit issues would be solved and the kinit command will be executed sucessfully by creating the inital ticket in the desired directory.

Thanks.

Related questions

How to connect with Java into Active Directory

I am using Weblogic, Ejb3.0. Java 1.6 I need to access Active Directory via Java code. I read about several ways (Kerberos, LDAP) Anyone could advice me on comfortable way of doing so? where could I have some full code examples, …

Read More
Cannot get Kerberos service ticket: KrbException: Server not found in Kerberos database (7)

I'm developing using the GSSAPI, and I have code which works with a vanilla MIT Kerberos 5 server to do some client/server work. I'm now verifying it's functionality against Active Directory and I've hit an issue. I have my server …

Read More
kinit: Client's credentials have been revoked while getting initial credentials

I have hdp cluster configured with kerberos with AD. All HDP service accounts have principals and keytabs generated including spark. I know service accounts will not have passwords and set to unexpire. Now while doing kinit -kt spark.keytab -p …

Read More