I am having a problem with my server and so far couldn't find any solution for this. When I try to add a server from a server manager (windows server 2012) I can see only the kerberos security error. Both servers are in the same domain(i have tried from several servers from domain and got the same error).
The strange thing is when I unjoin the problematic server from domain and rejoin it with another name it works normally. But the problem is to make it work with existing name. Anyhelp will be highly appreciated
thanks in advance.
Late reply, but I've just encountered the same error and hope this solution proves useful to others.
Situation: I had to wipe and reinstall a virtual server on which I'd previously had to set some Service Principal Names, and some SPNs for a service account. Turns out the SPNs were still there for the old server/account and I had to remove them.
I recommend checking for and removing rogue SPNs to resolve this. Use the following commands in an elevated command prompt:
setspn -l <servername/username>
In my case I had problems with MBAM, the Bitlocker admin tool, so for example I used:
setspn -l mbam01
Which gave me the output (changed names to protect the innocent):
Registered ServicePrincipalNames for CN=MBAM01,OU=Member Servers,DC=corp,DC=domainname,DC=com:
termserv/mbam01.corp.domainname.com
termserv/mbam01
http/mbam01.corp.domainname.com
http/mbam01
HOST/MBAM01
HOST/mbam01.corp.domainname.com
This will list the SPNs associated with the server or user account. Then you remove the errant SPNs with this command:
setspn -d <listed service> <servername/username>
In my case it turned out the mbamapppool user had http/mbam01 and http/mbam01.corp.domainname.com associated with it, causing Server Manager to fail to poll the server. I removed the http/ refs from the user and then added them to the server with the following commands:
setspn -d http/mbam01 corp\mbamapppooluser
setspn -d http/mbam.corp.domainname.com corp\mbamapppooluser
setspn -s http/mbam01 mbam01
setspn -s http/mbam01.corp.domainname.com mbam01
I then refreshed Server Manager and it polled the server successfully, and the Kerberos Security Error had gone.
Related
I've got a macOS 10.13 server running, on which I have recently had to change the hostname (upstream IT requirements) - and I suspect this has broken Kerberos.
Changing the hostname appears to have been successful: I exported the Open Directory setup, modified it, and reimported it into the updated setup - user accounts exist, and manual authentication works as expected. changeip is happy:
mac-mini:~ server_admin$ sudo changeip -checkhostname
dirserv:success = "success"
However SSO from client machines does not appear to be successful.
Attempting to run kinit with a valid user account shows this:
mac-mini:~ server_admin$ kinit test#MAC-MINI.EXAMPLE.COM
test#MAC-MINI.EXAMPLE.COM's password:
kinit: krb5_get_init_creds: Server (krbtgt/MAC-MINI.EXAMPLE.COM#MAC-MINI.EXAMPLE.COM) unknown
Looking at /etc/krb5.conf, I only see this:
[libdefaults]
kdc_timeout=5
...which is the same as it was on my previously-working configuration.
And now I'm a bit stumped. All the documentation for destroying and rebuilding Kerberos setups seem to be out of date. Any ideas?!
Thanks.
I need to run curl commands from a Windows server to an API on a Linux box. When I am on my workstation I just run a kinit and give my user name and pwd for the Kerberos realm.
I have automated scripts in which I need to run a kinit before running the Powershell script. I do not want any manual intervention. I am trying to create a keytab file with my Kerberos account but it is not working -
I am receiving the error message "No key table entry found for user#domain.net while getting initial credentials.
I really don't understand much about Kerberos, and whether the process cares that I am on a Windows server tryng to use a keytab file for this purpose.
Can someone help? I have been going a bit nuts with this...
Thanks for any help!
Look into your keytab if the principal there is the one you are going to use. klist -k -t <keytab>
You are obviously doing wrong. You have to obtain a curl binary for Windows which says with curl --version:
curl 7.46.0 ...
Protocols: http https ...
Features: SSPI Kerberos SPNEGO ...
That's it. Enable SPNEGO auth with curl --negotiate -u : <URL> and you are done. No keytab necessary on Windows.
I have setup a new EC2 instance on AWS and I'm trying to get FTP working to upload my application. I have installed VSFTPD as standard, so I haven't changed anything in the config file (/etc/vsftpd/vsftpd.conf).
I have not set my port 21 in the security group, because I'm doing it through SSH. I log into my EC2 through termal like so
sudo ssh -L 21:localhost:21 -vi my-key-pair ec2-user#ec2-instance
I open up filezilla and log into local host. Everything goes fine until it comes to listing the directory structure. I can log in and right and everything seems fine as you can see below:
Status: Resolving address of localhost
Status: Connecting to [::1]:21...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to EC2 FTP service.
Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS ******
Response: 230 Login successful.
Command: OPTS UTF8 ON
Response: 200 Always in UTF8 mode.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: EPSV
Response: 229 Entering Extended Passive Mode (|||37302|).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
Is there something which I'm missing in my config file. A setting which needs to be set or turned off. I thought it was great that it connected but when it timed out you could picture my face. It meant time to start trawling the net try and find the answer! Now with no luck.
I'm using the standard Amazon AMI 64 bit. I have a traditional lamp setup.
Can anyone steer me in the right direction? I have read a lot about getting this working but they are all incomplete, as if they got bored half way through typing up how to do it.
I would love to hear how you guys do it as well. If it makes life easier. How do you upload your apps to a EC2 instance? (Steps please - it saves a lot of time plus it is a great resource for others.)
I figured it out, after the direction help by Antti Haapala.
You don't even need VSFTP setup on the instance created. All you have to do is make sure the settings are right in FileZilla.
This is what I did (I'm on a mac so it should be similar on windows):
Open up file zilla and go to preferences.
Under preferences click sftp and add a new key. This is your key pair for your ec2 instance. You will have to convert it to the format FileZilla uses. It will give you a prompt for the conversion
Click okay and go back to site manager
In site manager enter in your EC2 public address, this can also be your elastic IP
Make sure the protocol is set to SFTP
Put in the user name of ec2-user
Remove everything from the password field - make it blank
All done! Now connect.
That's it you can now traverse your EC2 system. There is a catch. Because you are logged in as ec2-user and not root you will not be able to modify anything. To get around this, change the group ownership of the directory where your application will lie (/var/www/html) or what ever. I would change it so it is on a EBS volume. ;) Also make sure this group has read write and execute permissions. The group for the ec2-user is ec2-user. Leave everyone else as nothing. So the command you use while logged in via ssh
sudo chgrp ec2-user file/folder
sudo chmod 770 file/folder
Hope this helps someone.
FTP is a very troublesome protocol because it requires a secondary pipe for the actual data transfer and does not definitely work well when piped. With ssh you should use SFTP which has nothing to do with FTP but is a completely different protocol.
Read also on Wikipedia
Adding the key to www is a recipe for disaster! Any minor issue with your app will become a security nightmare.
As an alternative to ftp, consider using rsync or a more "mature" deploy strategy based on capistrano for instance. There are plenty of tools for that around.
Antti Haapala's tips are the only way to work around with EC2 SFTP. It works just fine! Just note that you need to create the /var/www/.ssh/ folder and copy the authorized_keys file there.
After that you'll need to change authorized_keys ownership to www-data so ssh connection can recognize it. Amazon should let people know that. I looked for this in there forums, FAQ, etc. No clue at all... Cheers once more to stackoverflow, the way to go haha!
I am using SFTP client(WinSCP) to get into a remote server and retrieve some files. I could not get to the SFTP server when I use WinSCP in a Windows-7 machine; but it works good when I try it from an XP machine. Can anyone think of what might be wrong. Any help appreciated!
I am also including the error screenshot, if that helps
Can anyone please help!
This could be some problem with your firewall. Check it if you are blocking WinSCP.
Quoting WinSCP documentation on the error message Server unexpectedly closed network connection:
If you get this error message while connecting to your server, it is
most usually caused by the server not being able to run some process
necessary to support your session. Always try to connect with another
SSH (SFTP) client to find, if it is server or client related problem.
Possibilities are:
Shell.
Your account may not be allowed to start a shell at all. With some servers (like OpenSSH or Sun SSH), you may need to be allowed to
start a shell, even if using SFTP protocol.
Also some servers refuse to start a shell if your password has expired or your account was terminated.
Some shells do not work with non-interactive sessions. The same it true for some configurations (or profiles used) for otherwise
working shells. This commonly exhibits with SCP protocol with
associated error message "Error skipping startup message. Your shell
is probably incompatible with the application (BASH is recommended)."
Try to force bash shell explicitly on SCP/Shell page of Advanced Site
Settings dialog. Using SFTP protocol instead of SCP is another option.
OpenSSH server may fail to start shell when chroot is configured, but not possible (e.g. due to group writeable permissions
to chroot directory).
Some environments require specific permissions (e.g. 755) to files like .profile or .bashrc.
SFTP server.
Your account may not be able to start SFTP server binary (e.g. /bin/sftp-server) or the binary is not present on your server.
Your SSH server may also lack the SFTP subsystem.
SSH server:
Your SSH server, particularly OpenSSH, may not be able to access the server key files, due to an incorrect permissions.
psql mydb yields:
psql: could not connect to server: Permission denied
Is the server running locally and accepting
connections on Unix domain socket "/var/pgsql_socket/.s.PGSQL.5432"?
psql -h localhost mydb works just fine. pg_hba.conf looks like:
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
What up?
I had the exact same thing happen to me, presumably due to the conflicting version of psql (one from Lion, one from homebrew). While I still haven't been able to figure out how to make psql use the /tmp socket directory, I do have a work around.
Put the following in your .bashrc (or .zshrc, etc):
export PGHOST=/tmp
This sets the correct "host" back to the correct socket directory, without having to supply the -h flag
Probably psql and the server use a different location for the unix-domain socket.
( /var/pgsql_socket/ is a strange location) This can happen if you are mixing binaries from different packages.
Try to locate the socket ( /tmp/ is a good place to start) You can force psql to use a different directory by misusing the -h option:
psql -h /tmp/
It appears to be a reported defect.
This happened to me on OS X, and the problem was that /usr/bin/psql is what I was using, but postmaster was running from /Library/PostgreSQL/9.0. Using /Library/PostgreSQL/9.0/bin/psql (getting that into my PATH before all else) fixed the problem.
As other answers addressed other alternatives, I guess I could provide something about Mac OS X Server on Lion. I run into very similar issue - in my case even -h localhost didn't work as networking was disabled in PostregSQL which is by the way in many cases very good idea. The thing with Mac OS X Server is that it launches PostgreSQL server via launchd.
Some hints as you go around:
serveradmin service: postgres
launchd configuration file: /System/Library/LaunchDaemons/org.postgresql.postgres.plist
database folder: /var/pgsql
socket folder: /var/pgsql_socket
That configuration file overrides several configuration directives that can be found in postgresql.conf under database folder. Especially these two:
unix_socket_group
unix_socket_permissions
You can find that _postgres account is used to run the server and everything is also accessible if active user is member of _postgres group.
By running dscl . -read /Groups/_postgres GroupMembership you can see that by default that group has these members: _devicemgr _calendar _teamsserver _www
I guess you have two options. Add yourself to _postgres group or change launchd configuration plist file. The later is just plain text editing... But beware of security, because this way you'll be opening Server to whatever meets criteria you change (see the last paragraph).
The former can be done either via Server.app or via dscl command-line utility. The first option probably doesn't need anything to be added. Just make sure that you can see System Accounts (View -> Hide/Show System Accounts). I'm kind of CLI junkie so this should add your user to _postgres group:
sudo dscl . -append /Groups/_postgres GroupMembership $USER
Of course you should be careful what you run under your account then because you're giving access to you Mac OS X Server database back-end. So either secure you _postgres account or create separate user to manipulate your database or don't save anything private there.