kinit(v5): Client not found in Kerberos database while getting initial credentials

Question

I'm working on configuring SSO in obiee 11.1.1.7.14, where in which I'm facing issue in the step while configuring krb5.conf and executing the kinit command.

few notes regarding the Active Directory

• we have more than one domain controller and to balance the request we are maintaing the load balancer with port 3269.
• And the integration between obiee and MSAD is successfully done with the load balancer name as host and port as 3269.
• and few certificates have been added in the demotrust.jks and to the ovd store and SSL is enabled in the new provider.
• Keytab file generated and placed in obiee domain home, krb5.conf and krb5Login.conf file modified accordingly.

I have created the keytab file and placed it in the obiee domain home, then modified the krb5.conf by keeping kdc as the one of the ip address of the domain controller and admin-server as the name of the domain controller. And while executing the

kinit -V -k -t /location/keytabfile.keytab HTTP/obiee_host_name

i have got and error "kinit(v5): Client not found in Kerberos database while getting initial credentials" . Please share your ideas/suggestions to solve this issue.

thanks in advance

Answer 1

We have a Active Directory server where 2 domain controllers are used for it. And a load balancer with port 3269 is used to connect to the Active directory from OBIEE and similar connections can be used in the krb5.conf and where ever required. And consider the base domain as DOM1 and all our groups are created under sub-domain SUBDOM. So the SPN is set at the SUBDOM.DOM1.COM.

Here are the few suggestions we have followed to integrate AD with OBIEE and Solved the most of the kinit issues

1. Instead of specifying the principal name with the absolute path, just mention with the accout_name@FullyQualifiedDomainName.

2. Changes in KRB5.conf

   1. Since the attribute "crypto" is specified as "all" while creating keytab and setting the SPN, all the encryption types which is present in the keytab file as to be mentioned in the krb5.conf (default_tkt_enctypes and default_tgs_enctypes).

   2. Have included the primary domain controller IP address for the attribute kdc in [realms] section, this will be same as Michael-O specified in point 2.

   3. in [domain_realm] of krb5.conf keep as .subdom.dom1.com=DOM1.COM.

   4. include the host name of load balancer name in the admin_server attribute of [realms] section in krb5.conf

Once all the above changes are done, most of the kinit issues would be solved and the kinit command will be executed successfully by creating the initial ticket in the desired directory.