kinit(v5): Client not found in Kerberos database while getting initial credentials

Question

I'm working on configuring SSO in obiee 11.1.1.7.14, where in which I'm facing issue in the step while configuring krb5.conf and executing the kinit command.

few notes regarding the Active Directory

• we have more than one domain controller and to balance the request we are maintaing the load balancer with port 3269.
• And the integration between obiee and MSAD is successfully done with the load balancer name as host and port as 3269.
• and few certificates have been added in the demotrust.jks and to the ovd store and SSL is enabled in the new provider.
• Keytab file generated and placed in obiee domain home, krb5.conf and krb5Login.conf file modified accordingly.

I have created the keytab file and placed it in the obiee domain home, then modified the krb5.conf by keeping kdc as the one of the ip address of the domain controller and admin-server as the name of the domain controller. And while executing the

kinit -V -k -t /location/keytabfile.keytab HTTP/obiee_host_name

i have got and error " kinit(v5): Client not found in Kerberos database while getting initial credentials " . Please share your ideas/suggestions to solve this issue.

thanks in advance

Answer 1

Thanks Michael-O for your reply.

Before going to the solution, I would like to post few information regarding the kind of Active Directory Server and the way we have connected.

We have a Active Directory server where 2 domain controllers are used for it. And a load balancer with port 3269 is used to connect to the Active directory from OBIEE and similar connections can be used in the krb5.conf and where ever required. And consider the base domain as DOM1 and all our groups are created under sub- domain SUBDOM. So the SPN is set at the SUBDOM.DOM1.COM.

Here are the few suggestions we have followed to integrate AD with OBIEE and Solved the most of the kinit issues

1. Instead of specfying the prinicpal name with the abosoute path, just mention with the accout_name@FullyQualifiedDomainName.

2. Changes in KRB5.conf

   a) Since the attribute "crypto" is specfied as "all" while creating keytab and setting the SPN, all the encryption types which is present in the keytab file as to be mentioned in the krb5.conf (default_tkt_enctypes and default_tgs_enctypes).

   b) Have included the primary domain controller ip address for the attribute kdc in [realms] section, this will be same as Michael-O specfied in point 2.

   c) in [domain_realm] of krb5.conf keep as .subdom.dom1.com=DOM1.COM.

   d) include the host name of loadbalancer name in the admin_server attribute of [realms] section in krb5.conf

once all the above changes are done, most of the kinit issues would be solved and the kinit command will be executed sucessfully by creating the inital ticket in the desired directory.

Thanks.

Answer 2

First of all, this is serverfault.

1. 3269 is not Kerberos, this is SSL-backed global catalog. Pure LDAP not Kerberos. Not interesting here.
2. Do not put KDC IP addresses in the krb5.conf but rather rely on DNS SRV records just like Windows does.
3. You cannot kinit with a SPN. kinit expects a UPN (from AD) from the keytab. Something like accountname$@EXAMPLE.COM if this is a machine account. Always remember, a SPN is always bound to some account, whether machine or functional.