问题
I've been running the following commands on W12 Server :-
setspn -A HTTP/ krbspn
ktpass /princ HTTP/@ /crypto ALL /ptype krb5_nt_principal /mapuser krbspn c:\ticket\krbspn.keytab -kvno 0 /pass Pa$$w0rd
and kinit krbspn gives the correct result, however kinit HTTP/ returns :-
KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) at sun.security.krb5.internal.tools.Kinit.(Kinit.java:221) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) at sun.security.krb5.internal.ASRep.init(ASRep.java:65) at sun.security.krb5.internal.ASRep.(ASRep.java:60) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) ... 4 more
I have all ready checked with forward and reverse DNS and they are working fine.
Fun fact :-
I had used these exact commands with the same SPN name on this same machine and everything was working fine for months. But 2 days back just to demo I did :-
setspn -D HTTP/ krbspn
and then did the above commands again, and now it's broken :-(
Any help is appreciated..
Thanks, Nikhil
回答1:
- setspn -A HTTP/ krbspn has a gap of whitespace after / and before krbspn. There must not be any gap there.
- In ktpass /princ HTTP/@ /crypto ALL, there must be some kind of hostname specified after HTTP/ and before @, preferably a fully-qualified DNS name.
- kinit HTTP/ by itself will always fail, because the SPN argument is incomplete, you must have some kind of hostname following HTTP/ or else lookups into the KDC won't find anything.
For an example of how to run the ktpass command, refer to this link: Kerberos Keytabs – Explained. The example ktpass command is down towards bottom of the article. If you follow this, the SPN and Keytab will be correctly built and if you followed everything else correctly Kerberos authentication will be successful.
来源:https://stackoverflow.com/questions/41255238/kerberos-client-not-found-in-kerberos-database