GSSAPI Error - Miscellaneous failure - ldap - krbtgt
Hello,
So I don't know too much about managing and maintaining a network, but I know 1000 times more than everyone I work with. So I got the "IT Guy" title pushed on me. So I was looking at the server logs and there is a message that shows up every minute. And every minute the message displays about 10 times.
2/8/13 12:15:53.844 PM slapd: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/[email protected]) unknown while looking up 'ldap/[email protected]' (cached result, timeout in 1200 sec))
Also in the slapd.log this message shows up over and over. I don't know if they are related, but they could be.
Feb 8 12:18:56 sol slapd[49440]: do_syncrepl1: client_connect failed (-1)
Feb 8 12:18:56 sol slapd[49440]: slap_client_connect: URI=ldap://marvin.multi-tek.com:389 ldap_sasl_interactive_bind_s failed (-2)
I've searched and searched for an answer here and other places, but no one seems to have the same problem. I don't even know if this is a problem although I don't think this should be happening. Everything seems to be working okay. We have 2 servers running Lion. Let me know what else you need to know.
Thanks for looking.
Solved the problem by myself
- Disable the automatic recognition of the account settings-
Similar Messages
-
For an IMAP SSL account, I see the following error in the log every time mail.app checks for new mails:
23.03.15 09:06:12.782 Mail[5620]: Failed a step of SASL authentication
SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)
New mails are shown but it takes quite long until they are fetched. These error lines show up several times.
What causes these errors?
Andy BrunnerSolved the problem by myself
- Disable the automatic recognition of the account settings- -
SASL(-1): generic failure: GSSAPI Error. No Credentials Cache Found
When I try to use any ldap command line utilties on my Xserve dual G5 running OS X Server 10.4.11, I get any number of errors including:
SASL/GSSAPI authentication started
ldapsasl_interactive_binds: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)
If I run kadmin, or klist as super user I get the same error or similar error
If I run kdelete and then kinit I don't get an error message, but I still can't log in using the directory administrator account, or even root if I enable the root account.
The Server Admin tool shows that Kerberos is running and it appears to be working on all the clients on the network (OS X 10.3 and 10.4), but I just can't use the command line. This is frustrating because there are a number of batch tasks I prefer doing with the command line such as ldapadd and ldapmodify. The only command line utility for LDAP that does seem to work is slapcat. Workgroup Admin works as does phpldapadmin.
Any ideas?
Message was edited by: Christopher Dart
Message was edited by: Christopher DartSolved the problem by myself
- Disable the automatic recognition of the account settings- -
Hello All
I'm having a problem to login on my MacServer since yesterday when we got new connection and I had to change my DNS configuration.
No one can login, and on logs I got this error messages
To give a brief explanation about the problem, the server has 3 network interfaces 1 for external access (internet) and 2 for our internal networks. So with the new internet connection I had to change the external interface's IP address. So I've also changed it on the DNS (as you can see on the log before it was 172.16.XX.XX). But after that nobody can login.
System Log
+DirectoryService[61]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)+
Kdc Log
+Jun 18 10:50:09 server.domain.com krb5kdc[242](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 81.145.128.82: ISSUE: authtime 1213782609, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]+
+Jun 18 10:50:10 server.domain.com krb5kdc[242](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 81.145.128.82: UNKNOWN_SERVER: authtime 1213779829, [email protected] for ldap/[email protected], Server not found in Kerberos database+
Kadmin command
+sudo kadmin.local -q listprincs | grep ldap+
ldap/[email protected]
My DNS Zone
+$TTL 86400+
+domain.com. IN SOA server.domain.com. sysadmin.domain.co.uk. (+
+2008061818 ; serial+
+3h ; refresh+
+1h ; retry+
+1w ; expiry+
+1h ) ; minimum+
+domain.com. IN NS server.domain.com.+
+domain.com. IN A 99.99.999.99+
+server IN A 99.99.999.99+
Inside my /Library/Preferences I've got 2 edu.mit.Kerberos files
edu.mit.Kerberos
edu.mit.Kerberos.UrLRdkjIuH7V7yG2QuH8e
One of them (the UrL*) is empty the other one has this configuration
+# WARNING This file is automatically created, if you wish to make changes+
+# delete the next two lines+
+# autogenerated from : /LDAPv3/127.0.0.1+
+# generation_id : 1093139664+
[libdefaults]
+default_realm = SERVER.DOMAIN.COM+
[realms]
+SERVER.DOMAIN.COM = {+
+kdc = server.domain.com+
+admin_server = server.domain.com+
[domain_realm]
+domain.com = SERVER.DOMAIN.COM+
+.domain.com = SERVER.DOMAIN.COM+
[logging]
+admin_server = FILE:/var/log/krb5kdc/kadmin.log+
+kdc = FILE:/var/log/krb5kdc/kdc.log+
I've read all the topics about it but till now I couldn't solve my problem.
Is anyone able to help me?
ThanksI even tried the online support option using my PlayBook's serial number; when I entered my email address, it said that it failed to recognise it.
Yet in the tablet it clearly shows the right one.
I am beginning to have serious doubts about having bought it in the first place.
Techie Charlie.
Trying to stay loyal to BlackBerry.
Currently using BBM on my Android Motorola Moto G -
GSSAPI Error: Server not found in Kerberos database
Hi all
For about 3 days I'm now seeing this error message in system.log every 3 minutes:
DirectoryService: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
This happens on a fileserver which is connected to an OD server.
I did a search in this forum and found one thread about it. The advice there was to look in kdc.log to see which principal is failing - but I don't have a kdc.log. The other tip was to use kadmin to get a list of the principals by using
kadmin.local -q listprincs
but what I get instead of this list is:
Authenticating as principal xyz/[email protected] with password.
kadmin.local: No such file or directory while initializing kadmin.local interface
It seems that some file is missing, which would explain why DirectoryService can't find the server in the database... I have to confess that I have no idea as to how Kerberos works or how to configure it.
Authentication against the OD server is working fine, it's just that the errors in the log are getting on my nerves, and they make it difficult to find other, more important messages in system.log.
Thankas, TinaAh, I see, the kdc.log is on the OD server, not on
the file server where I was looking for it.
OK, in the kdc logfile I have a lot of entries like
these ones:
Kerberos is an auth system where the user authenticates to the kdc and is issued a TGT (Ticket Granting Ticket). The user then presents their TGT and a service principal (Kerberos name of a server) to the kdc to get a service ticket. The user then sends the service ticket to the server who lets the user in.
Some interpretation:
Mar 22 09:18:35 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.23:
UNKNOWN_SERVER: authtime 1143003387,
[email protected] for krbtgt/[email protected],
Server not found in Kerberos database
This (TGS_REQ) is request for a service ticket from 130.60.23.23 using the
TGT owned by [email protected], to get a service ticket for
krbtgt/[email protected]. It looks like krbtgt/[email protected] is not in your kdc's database. This looks like a cross realm request.
If you are also connected to an active directory system you might see something like this.
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional
pre-authentication required
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
ISSUE: authtime 1143015560, etypes {rep=16 tkt=16
ses=16}, [email protected] for
krbtgt/[email protected]
The AS_REQ's above are the two step authentication process for user [email protected] from 130.60.23.11.
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
UNKNOWN_SERVER: authtime 1143001370,
[email protected] for
krbtgt/[email protected], Server not
found in Kerberos database
This is another service ticket request. Though the requested service principal looks malformed, I would look for something misconfigured on 130.60.23.11.
Possibly watch what user zds01 is doing during login to get some idea of what's going on.
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
UNKNOWN_SERVER: authtime 1143001370,
[email protected] for
krbtgt/[email protected], Server not found
in Kerberos database
Same as above.
What do they mean? I didn't set up Kerberos
authentication, I think I don't need it, is there any
way to disable it? Or am I using it without knowing
it??
When you set up the OD Master, a kdc & the needed files were set up to allow single sign on to all the kerberized services in the system.
- see if you have an
/Library/Preferences/edu.mit.Kerberos file
- Also look for an /etc/krb5.keytab file
Yes, I have both of them.
kadmin.local -q listprincs on the OD server gives me
a long list of computers, users and services like
this:
I don't know what these all mean... could you give me
a brief explanation?
[email protected]
When you create a computer record in Workgroup Manager a generic principal name is added to the kdc for that computer. It is related to the host/computer_name@REALM service principal for servers.
[email protected]
This is a user principal (this is the account name for the user in the Kerberos system) Sometimes you will see user/admin@REALM.
afpserver/[email protected]
This is a service principal. They usually are in the form servicetype/server_dnsname@REALM
One of the things that Kerberos is very sensitive to is correct DNS configuration. You need to have both forward (name -> IP) and reverse (IP -> name) DNS set up for all the servers in your realm.
Hope this helps
- Leland
DP G4 Mac OS X (10.4.5) -
I've been getting lots of GSSAPI errors when clients connect via VPN. When clients are connected via VPN DNS doesn't resolve correctly and stability is poor.
From system.log:
Jun 26 08:14:39 myservername DirectoryService[60]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
From kdc.log:
Jun 26 08:14:42 FQDN krb5kdc[276](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.0.4: UNKNOWN_SERVER: authtime 1182832508, MyVPNClient@FQDN for krbtgt/PPS.COM@FQDN, Server not found in Kerberos database
I see this odd entry when I do a kadmin.local -q listprincs:
vpn/fqdn@FQDN
vpn_28e90fc33eff@FQDN
The second entry seems wrong. Would it be safe to delete it?
I have so far tried rebuilding the entire server from scratch, demoting Open Directory to Standalone then repromoting back to Open Directory Master. I also tried the procedure in this tread:
http://discussions.apple.com/thread.jspa?messageID=4240563�
Nothing is working!
Thanks!
Mac OS X (10.4)Hi iGary
Except it did appear on a mobile client when
attempting to bind to the OS X Server directory. This
mobile client was bound to an Active Directory, do I
forcibly unbound it and deleted all Kerberos and
DirectoryService preferences. Now I'm running well.
I don’t see why not, it can’t hurt.
Good luck – Tony -
Yosemite Server Mail GSSAPI Error
Since upgrading client machines to Yosemite, connecting to mac mini server running Yosemite (server v4), I'm seeing this error in the client main log file:
22/10/2014 12:43:56.579 Mail[7452]: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))
22/10/2014 12:43:56.579 Mail[7452]: Failed to start the SASL connection
SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))
Has anyone else seen this or have any thoughts as how to proceed? Thanks a lot for any pointers in the right direction.
(ps mail is being sent and received)Hi,
maybe it helps or not, I solve a other performance problem which is more related to the mailbox speed but this error on client side is gone afterwards:
In Yosemite there is still also a problem with the automatic settings detection in Mail.
That means that the application try's to find a working authentication mechanism in combination with different ports and encryption.
So far so good, this feature would be okay but the application never stops to do that. So we are shortly connected but the connection becomes invalid again.
This leads to performance issues and the application becomes very slow!
If you refer your client log file maybe you can see some "Failed to start the SASL connection" issues (coming from Mail.app).
In case that you are running a OS X Server which is used by Mail you will see in /var/log/mail* /Library/Logs/mail* various login failures. In case that you have enabled the Adaptive Firewall it can be happen that your IP is blocked for 15 minutes.
Of course this must not be a issue for everyone I believe it strongly depends on your email server / provider which auth. stuff is supported or enabled.
To solve it:
1.) Open the Mail Preferences
2.) Goto "Accounts" and select your Provider/Account
3.) Klick Enhanced (the last right tab)
4.) Disable the automatic settings detection (first checkbox)
5.) In case you didn't enable "MailDrop"
This works in Mail 8.1 on Yosemite 10.10.1 -
Hush now slapd.log GSSAPI Errors
I think we got the GSSAPI errors showing up repeatedly in our slapd.log to go away by stripping out then replacing the LDAP KDC principle and key. Here's how if you'd like to try (at your own risk):
Remove the LDAP service principal:
sudo kadmin.local -q 'delprinc ldap/<FQDN>'
Remove the principal key from the keytab:
sudo kadmin.local -q 'ktrem ldap/<FQDN>'
Create a fresh LDAP service principal:
sudo kadmin.local -q 'addprinc -randkey ldap/<FQDN>@<REALM>'
Import the new principal key into the keytab file:
sudo kadmin.local -q 'ktadd ldap/<FQDN>@<REALM>'
Reboot when convenient. Reloading the slapd didn't seem to enable this
fix. I did not try reloading both slapd and the krb5kdc.
(FQDN = Fully Qualified Domain Name. Yes I know you know, but there will be somebody that will message me asking what it means)We're seeing them on just about all of our Tiger servers. We are or were having stability issues and this was one of the odd activities taking place. I felt that it was better to clear these just incase they were playing a role in the instability.
The cause could be that there is something wrong with Apple's integration of OpenLDAP with Kerberos. Somehow OpenLDAP isn't happy with the LDAP principal and key within Kerberos. Refreshing it manually with these commands sorted it. -
SASL Failure GSSAPI Unspecified GSS Failure
Installed from scratch. Enabled "Open Directory" and created a regular user account. Unable to remotely login with ssh. Since then I have been trying every option with Workgroup manager.
At this point, I can't even get authenticated as diradmin. I don't even have the option to stop OpenDirectory. I can access without ssl, e.g.,
$ ldapsearch -v -x ldap://my.domain.com -b "dc=my,dc=domain,dc=com"
Note the -x, simple authentication. Both ldaps:// and no -x will fail.
Must I jump back to the command line utils to solve this?
Thanks,
HankBeen there done that have the t-shirt.
Here is how I fixed it.
Go into Server Manager app.
Click on Open Directory on the left hand side.
Click on Settings at the top
Click on LDAP
I am assuming you are using SSL for your LDAP connections.
Uncheck "Enable SSL" and click Save
Wait 30 seconds
Check "Enable SSL" and make sure you reselect your SSL cert.
Click Save
Your GSSAPI error will be cured until the next time you reboot or start/stop LDAP.
Then just repeat the process above.
Hope that helps.
Another sympton of the GSSAPI error (Key table entry not found) is that your diradmin user will NOT be able to authenticate!
That's pretty awesome (end sarcasm) and I wish APPLE WOULD FIX THIS as it took a lot of trial and error to figure this out.
FWIW, I'm using a Go Daddy SSL cert which also requires an intermediate cert. -
Error at configuring LDAP Synch by using post installation steps of OIM
Hi All ,
I am getting error while configuring LDAP synch.......
i am doing LDAP synch by using following link http://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oid_oim.htm#IDMIG4357
While Running patch_weblogic.sh script i am getting following error
Error:
patch:
explode-archived-apps-was:
seed-ootb-jobs:
seed-ootb-jobs:
[echo] ----> SEEDING OUT OF THE BOX SCHEDULE JOBS AND TRIGGERS
[java] Exception in thread "main" java.lang.ClassNotFoundException: oracle.jdbc.xa.client.OracleXADataSource
BUILD FAILED
/apps/Oracle/Middleware/Oracle_IDM1/server/setup/deploy-files/setup.xml:21: The following error occurred while executing this line:
/apps/Oracle/Middleware/Oracle_IDM1/server/setup/deploy-files/setup.xml:84: The following error occurred while executing this line:
/apps/Oracle/Middleware/Oracle_IDM1/server/seed_data/seed-rcu-data.xml:37: Java returned: 1
Total time: 26 seconds
*********I can't trouble shoot this error.....because i am not able to find out oracle.iam.scheduler.seed.SeedSchedulerData class is in which jar.
Please help me to solve this problem
Regards,
idmr2Open weblogic.profile and change the value for property operationsDB.driver to oracle.jdbc.OracleDriver and retest the issue.
-
FRM-41211 Integration error SSL failure
Hello
Environment Client/Server Developer 6i.
i installed developer on a new clinet machine to rum my application. every thing is fine but when he tries to run any report the following error occured:-
FRM-41211 Integrarion error SSL failure runing another product.
and i have re-install the devloper but the error is stand.
any solution?
regards
aaksAs Petr said make sure you're reports25_tmp is set in your registry and that the directory exists AND you have the rights to write to that directory.
You can also get this error if you try to issue a 2nd asynchronous run_product call to run a report and there is another one running. For this, Oracle has two 'solutions'.
1) Do not run more then one asynchronous report per session
or
2) Use a delay loop before calling the next report.
It's been my experience that #2 is worthless as, if it works, is doing pretty much the same thing as #1. I really hope this gets fixed (for good) at some point...somehow. <G>
Chad -
FRM-41211: Integration Error: SSL failure running another product Error
Hai,
I am developing POS Application in Oracle(Forms6i/Reports6i). I design the Invoice Print Format in Reports6i and call from the Invoice Form. When the
user save the Invoice I Commit the Invoice and call the Invoice Report for Printing Immediately. I use Epson TM U210B Label Printer for Billing. Sometimes the Invoice Print is not coming in the Printer and it gives the
following error(especially the First print after restart the computer).
FRM-41211: Integration Error: SSL failure running
another product
After that if you print further for transaction no plm. only it gives the error first time of print
So Please give the solutions immediately. I am waiting for Ur favourable Reply.
Ur's ShahulAs Petr said make sure you're reports25_tmp is set in your registry and that the directory exists AND you have the rights to write to that directory.
You can also get this error if you try to issue a 2nd asynchronous run_product call to run a report and there is another one running. For this, Oracle has two 'solutions'.
1) Do not run more then one asynchronous report per session
or
2) Use a delay loop before calling the next report.
It's been my experience that #2 is worthless as, if it works, is doing pretty much the same thing as #1. I really hope this gets fixed (for good) at some point...somehow. <G>
Chad -
Run report --- Integration Error ----SSL failure
I have a form that call a report through the Run_Product Built, this works fine on Developer 6 version, but after I upgraded to 6i, everytime I press the buttonn that call the report, an error message will appear that say "FRM-41211 Integration Error SSL failure running another product" after the Report Background Engine appeared. And the report will not start.
But if I press the button again, all will be fine.
Does anyone know what happens ?
PLease help!!!!It is a bug in Forms 6i and possible workaround (from Metalink) is:
WORKAROUND as follows :
This brings up the Background Engine on startup and minimizes it.
1. Create a shortcut for rwrbe60.exe and do a CTRL+C to copy it.
2. Right click on the TASK BAR at the bottom of the screen and get the TASKBAR
Properties box up.
3. Select ADVANCED
4. Expand Tree for PROGRAMS.
5. Click of STARTUP folder.
6. Do a CTRL+V to Paste in the Shortcut to rwrbe60.exe.
7. Right Click on Shortcut and select Properties.
8. Click Shortcut Tab.
9. Make sure of the following fields are as follows:
TARGET : {drive}:\{path}\rwrbe60.exe /c
START IN : Is the location of your Reports and Forms.
SHORTCUT KEY : None
RUN : MINIMIZED -
Integration error SSL failure running another product. - Urgent
Anybody knows what could be the possible problem and how to solve it. This error is coming when I am running RUN_PRODUCT built-in forms 6i, that application was running for 2 years in Forms 5, without any problem.
I have included the message what Forms doucmentaion had.
FRM-41211: Integration error: SSL failure running another product.
Cause: There is a problem detected when launching another product.
Action: Check the RUN_PRODUCT built-in.
Level: 99
Type: Error
nullI got this error when I was using 4.5, it may be caused by the
correctness of report_path in registry.
Regards,
George
Anybody knows what could be the possible problem and how to solve it. This error is coming when I am running RUN_PRODUCT
built-in forms 6i, that application was running for 2 years in
Forms 5, without any problem.>I have included the message what
Forms doucmentaion had.>FRM-41211: Integration error: SSL
failure running another product.>Cause: There is a problem
detected when launching another product. >Action: Check the
RUN_PRODUCT built-in. >Level: 99 >Type: Error >null -
Integration error SSL failure running another product
Dear All,
I am facing some problem while running reports from forms
SERVER:
• OPERATING SYSTEM: Windows.8
• Database: ORACLE 11g
• Forms & Reports = 6i.
In form when click any report button to call report some time error comes.
FRM-41211: integration error SSL failure running another productAnd user can not print the report,Forms/Reports 6i on Windows 8? I very much doubt that this is going to work. The last supported OS for Forms/Reports 6i was Windows XP.
You might have some luck with a non-supported workaround:
http://windows7bugs.wordpress.com/2012/08/25/windows-8-oracle-developer-suite-6i-patch-18/
Maybe you are looking for
-
Hi, I need help to answer my case... Case: In the report, I have 2 prompts, 1 called as PERIOD, the other called as PERIOD COUNT (consist of 1-12). When I input a value in PERIOD (January) and I input (4), the table should be looked like this: PERIOD
-
Finding and opening iWeb webpage files in iWeb SEO
I have a successfully published website (hosted by GoDaddy). I want to add or enhance tags, but cannot find the files for the published webpage. I can't even find the files using the modification date. Where does iWeb store these files and how can I
-
Black screen with exclamation mark .
Using iphoto 11 ver 9.2.1. When I click on a photo to open the file I get a black screen with an exclamation mark. I have tried rebuiding database from automatic backups and all the others listed when opening iphoto with the alt+command key held down
-
Why Oracle Free Sample CD-Roms are not receving
Dear concern person, I am a regular reciver of Oracle Free Sample CD-rom's since 2 years. but from last10 months i have order several times for the Free Sample CD-rom's on your provided link but i m still not get any Free Sample CD-rom's from your si
-
What is the best FREE GUI Builder in Eclipse plugin??
hello experts!!! nid ur help... does anyone here uses Eclipse editor?? i am using Jigloo Gui Builder plugin to create GUI BUT there GROUP layout manager it sucks its so diffucult to layout.. what is the best FREE GUI Builder in Eclipse plugin??