Kinit: client not found in kerberos database while getting initial credentials

Question

Problem :

I am working on the configuring SSO in obiee 11.1.1.7.14, where in which I am facing a issue in the step while configuring my krb5.conf and executing a kinit command.

Few notes regarding a Active Directory

· We have more than the one domain controller and to balance a request we are maintaing a load balancer with a port 3269.

· And a integration between obiee and a MSAD is successfully done with a load balancer name as host and a port as 3269.

· And few certificates have also been added in a demotrust.jks and to a ovd store and SSL is enabled in a new provider.

· Keytab file generated and also placed in obiee domain home, the krb5.conf and krb5Login.conf file also modified accordingly.

I have created my keytab file and placed it in my obiee domain home, then modified my krb5.conf by keeping a kdc as a one of the ip address of a domain controller and admin-server as a name of a domain controller. And while executing a

kinit -V -k -t /location/keytabfile.keytab HTTP/obiee_host_name

I have encountered the error as "kinit(v5): Client not found in Kerberos database while getting initial credentials" . Kindly share your ideas or suggestions to solve above issue.

Answer 1

 First of all, this is the serverfault.

1. 3269 is not a Kerberos, this is a SSL-backed global catalog. Pure LDAP not a Kerberos. Not a interesting here.

2. Do not put a KDC IP addresses in a krb5.conf but rather rely on a DNS SRV records just like a Windows does.

3. You cannot kinit with the SPN. kinit expects the UPN (from AD) from a keytab. Something like accountname$@EXAMPLE.COM if this is the machine account. Always remember, the SPN is always bound to some account, whether it is a machine or functional.