2 Replies Latest reply on Jun 14, 2012 5:46 AM by Monoj Padhy

    Getting error while verifying keytab in BBSA 8.0

      Hi All,

       

      Can anyone provide me correct contents of blappserv_krb5.conf file while doing AD integration with BBSA?

      im getting error while verifying keytab file in page no. 175 in BMCBladeLogicAdministration.pdf for 8.0

      host name = com

      domain = company.com

       

      i have done below steps while verifying a keytab file

      1. copied the contents of blappserv_krb5.conf into %WINDIR%\krb5.ini file

      Original:

      [libdefaults]

      ticket_lifetime = 6000

      default_realm = SERVICE_PRINCIPAL_REALM

      [realms]

      SERVICE_PRINCIPAL_REALM = {

      kdc = SERVICE_PRINCIPAL_REALM_KDC:88

      }

      [domain_realm]

      .SERVICE_PRINCIPAL_DOMAIN = SERVICE_PRINCIPAL_REALM

      I created:

      [libdefaults]

      ticket_lifetime = 6000

      default_realm = COMPANY.COM

      [realms]

      COMPANY.COM = {

      kdc = COM:88

      }

      [domain_realm]

      .company.com = COMPANY.COM

      Output:

      Key tab: C:\Program Files\BMC Software\BladeLogic\8.0\NSH\br\blauthsvc.keytab, 1 entry found

      [1] Service Principal: blauthsvc/COM@COMPANY.COM

           KUNO: 3

           Time stamp: Jan 01, 1970 05:30

       

      3. Authenticate to Active Directory: installDirectory\jre\bin\kinit -k -t <keytabFile location> blauthsvc/COM@COMPANY.COM

      In 3rd step im getting following error:

      Exception: krb_error 0 Cannot get kdc for realm COMPANY.COM No error

      KrbException: Cannot get kdc for realm COMPANY.COM

           at sun.security.krb5.KrbKdcReq.send(Unknown Source)

           at sun.security.krb5.KrbKdcReq.send(Unknown Source)

           at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)

           at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)

           at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

       

      thnx in adv.

       

      regards,

      samsung

      2. Identify the service account name from the keytab file: installDirectory\jre\bin\klist -k -t <keytabfile location>

        • 1. Getting error while verifying keytab in BBSA 8.0
          Joshua Skirde

          Hi,

           

          It looks to me that it can't resolve the KDC COMPANY.COM. Have you tried doing the following (from the administration guide);

              nslookup -type=srv _kerberos._tcp.COMPANY.COM

          If this doesn't return a value then you have a name resolution issue; check your DNS or hosts file.

          If it does return then I would check to see that you can contact port 88 on your COM server i.e. telnet COM 88

           

          Kind regards,

          Joshua

          1 of 1 people found this helpful
          • 2. Re: Getting error while verifying keytab in BBSA 8.0
            Monoj Padhy

            Hi Samsung,

             

            Try using something like this. You probably getting this error due to encryction issue.

             

            krb5.ini


            [libdefaults]

            ticket_lifetime = 6000

            default_realm = COMPANY.COM

            default_tkt_enctypes = des-cbc-crc rc4-hmac
            default_tgs_enctypes = des-cbc-crc rc4-hmac

            [realms]

            COMPANY.COM = {

            kdc = COM:88

            }

            [domain_realm]

            .company.com = COMPANY.COM

             

            Regards,

            blsad

            1 of 1 people found this helpful