you may need to generate a new keytab file for that user.
can you use kinit to see if the current keytab is still valid?
(something like kinit -k -t blappsvc.keytab blappsvc/blxfe01 )
I run the kinit command as follow:
kinit -k -t blappsvc.keytab blappsvc/blxfe01
and it returns the following:
+https://communities.bmc.com/root@blxfe01%20br# kinit -k -t blappsvc.keytab blappsvc/blxfe01
kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials+
If it can be useful look also at this: when I try to connect to the AS via Config Manager I get a pop up window saying:
AD/Kerberos Authentication Failure
and the appserver.log says:
+https://communities.bmc.com/22%20Oct%202008%2011:08:31,181 https://communities.bmc.com/AuthSvc-Thread-1 https://communities.bmc.com/WARN https://communities.bmc.com/:: https://communities.bmc.com/Appserver No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
https://communities.bmc.com/22%20Oct%202008%2011:08:31,190 https://communities.bmc.com/AuthSvc-Thread-1 https://communities.bmc.com/INFO https://communities.bmc.com/:: https://communities.bmc.com/Appserver user authentication failed: Pgrosso@WIND.ROOT.IT
https://communities.bmc.com/22%20Oct%202008%2011:08:31,191 https://communities.bmc.com/AuthSvc-Thread-1 https://communities.bmc.com/INFO https://communities.bmc.com/:: https://communities.bmc.com/Appserver Connection closed+
Also find attached the blappserv_krb5.conf and blappserv_login.conf
Thanks for any suggestion
UPDATE: Based on File attachment policies, a file was removed, see FAQ for more
i want to check that:
1 - you can still talk to the DC - can you telnet to port 88 on the DC dcwriv01.WIND.ROOT.IT)?
2 - the keytab file is still valid:
linux and solaris are a little different - you want to copy the blappserv_krb5.conf to like /etc/krb5.conf or /etc/krb5/krb5.conf (make a backup of the original), and run that kinit command again. (you are supposed to be able to override the default location w/ the KRB5_CONFIG environment variable, but for some reason that doesn't always work)
it may be easier to just have the customer re-run the commands you ran to generate the keytab file. (the setspn and ktpass)
I already test the telnet connection on port 88 and it is ok.
Connected to dcwriv02.WIND.ROOT.IT (10.55.242.217).
Escape character is '^]'.
Connection closed by foreign host.
Also I copied the blappserv_krb5.conf (made also a backup) in /etc/krb5.conf and run the kinit test again. Now the output is the following:
kinit(v5): Client not found in Kerberos database while getting initial credentials
Also asked to the Customer to regenerate the keytab file again but it will take time .....
oh - your kinit command should be like:
kinit -k -t /opt/nsh/br/blappsvc.keytab
kinit -k -t blappsvc.keytab blappsvc/blxfe01
do you have access to query AD to see if that user is still there? and that's it's not disabled?
you may just need the new keytab file.
The user is ok.
The keytab file has been recreated but nothing changed.
I see there are two klist and kinit commands on my AS. And they give different outputs. Which are the right ones?
and they give different outputs as you can see below:
Keytab name: FILE:/usr/nsh/br/blappsvc.keytab
KVNO Timestamp Principal
1 01/01/70 01:00:00 blappsvc/blxfe01.wind.root.it@WIND.ROOT.IT+
Key tab: /usr/nsh/br/blappsvc.keytab, 1 entry found.
Service principal: blappsvc/blxfe01.wind.root.it@WIND.ROOT.IT
Time stamp: Jan 01, 1970 01:00
kinit(v5): Client not found in Kerberos database while getting initial credentials+
Exception: krb_error 0 No supported key found in keytab for principal blappsvc/blxfe01@WIND.ROOT.IT No error
KrbException: No supported key found in keytab for principal blappsvc/blxfe01@WIND.ROOT.IT
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
oh - so your user is really:
blappsvc/blxfe01.wind.root.it - i didn't see that.
make your kinit command like:
/usr/nsh/br/java/bin/kinit -k -t blappsvc.keytab blappsvc/blxfe01.wind.root.it
the 2 kinit/klist are the java versions and the OS version. as far as authenticating and listing they should work the same, even if the output is a little different.
Question: The AD is installed on a Win 2008 platform.
Could be it a problem?
it's possible - we have not done any testing against 2008 AD afaik.
In your telnet test above, you look to be using a different hostname than what is present in the blappserv_krb5.conf you attached to this thread. It's dcwriv02. (krb5.conf file)
If dcwriv01.WIND.ROOT.IT was correct, can you confirm you can telnet to that host, port 88, from blxfe01? Can you also check to see if there is not an entry in /etc/hosts file for dcwrinv01 which might be affecting your address lookup to be other than desired?
For that matter, what does "nslookup -type=srv kerberos.tcp.WIND.ROOT.IT" yield from blxfe01?