467,879 Members | 1,237 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 467,879 developers. It's quick & easy.

Problem with Kerberos authentication

Hello NG,

I'm experiencing problems in configuring DB2 v9.1 on Linux (RedHat AS4)
to use Kerberos authentication against an AD (W2K3 R2).
IBM Network Authentication Service is installed and configured following
the instructions on
http://www-128.ibm.com/developerwork...see/index.html

/etc/krb5/krb5.keytab contains a key for the instance owner, according
to klist -k:
$ which klist
/usr/krb5/bin/klist
$ klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
3 db2inst1/<fqdn>@<domain>

where <fqdnis the fully qualified domain name of the host and equals
the output of hostname -f, and <domainis the name of the W2K3-Domain.

Here's the relevant part of the dbm configuration:
Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) = IBMkrb5
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
Server Connection Authentication (SRVCON_AUTH) =
KRB_SERVER_ENCRYPT
Database manager authentication (AUTHENTICATION) = SERVER
Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Trust all clients (TRUST_ALLCLNTS) = YES
Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
Bypass federated authentication (FED_NOAUTH) = NO

I can obtain a Kerberos ticket for the instance owner:
$ which kinit
/usr/krb5/bin/kinit
$ kinit
Password for db2inst1@<domainname>:
$ which klist
/usr/krb5/bin/klist
$ klist
Ticket cache: FILE:/tmp/krb5cc_10001_hXOi9d
Default principal: db2inst1@<domain>

Valid starting Expires Service principal
18 Dec 2006 10:59:37 18 Dec 2006 20:59:43 krbtgt/<domain>@<domain>
Renew until 19 Dec 2006 10:59:37

When issuing db2start, I get the following error message:
SQL1365N db2start or db2stop failed in processing the plugin "IBMkrb5".
Reason code = "10".
12/18/2006 10:47:04 0 0 SQL1365N db2start or db2stop failed in
processing the plugin "". Reason code = "".
SQL1032N No start database manager command was issued. SQLSTATE=57019

db2diag.log lists the following errors:
2006-12-18-10.47.03.934370+060 E117102G767 LEVEL: Severe
PID : 17387 TID : 3086395072 PROC : db2star2
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqloKADetermineKernelIntegrity,
probe:30
DATA #1 : <preformatted>
Indeterminable operating system.
CALLSTCK:
[0] 0x01697537 _Z30sqloKADetermineKernelIntegrityP8sqlekrcb + 0x6AB
[1] 0x01695F21 _Z13sqloKAAnalyzeP8sqlekrcb + 0x85
[2] 0x080523BF /vol/databases/db2inst1/sqllib/adm/db2star2 + 0xA3BF
[3] 0x0804E08D DB2StartMain + 0x23C5
[4] 0x0804BCBF main + 0x27
[5] 0x00622DE3 __libc_start_main + 0xD3
[6] 0x0804BC01 __gxx_personality_v0 + 0x31D
[7] 0x00000000 ?unknown + 0x0
[8] 0x00000000 ?unknown + 0x0
[9] 0x00000000 ?unknown + 0x0

2006-12-18-10.47.04.787481+060 I117870G263 LEVEL: Error
PID : 17398 TID : 3086657216
FUNCTION: DB2 Common, Security, Users and Groups,
secLoadServerGSSPlugin, probe:20
DATA #1 : String, 41 bytes
db2secServerAuthPluginInit failed with -1

2006-12-18-10.47.04.788806+060 I118134G307 LEVEL: Error
PID : 17398 TID : 3086657216
FUNCTION: DB2 Common, Security, Users and Groups,
secLoadServerGSSPlugin, probe:21
DATA #1 : String, 86 bytes
gss_acquire_cred: Miscellaneous failure. No principal in keytab matches
desired name

2006-12-18-10.47.04.790312+060 I118442G387 LEVEL: Severe
PID : 17398 TID : 3086657216 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, oper system services, sqloInitEDUServices, probe:3090
MESSAGE : ZRC=0x805C018F=-2141453937=SQLEX_PLGN_SRV_PLGN_UNEXPECTED_ERROR
"Server security plugin encountered an unexpected error"

2006-12-18-10.47.04.805266+060 I118830G435 LEVEL: Severe
PID : 17397 TID : 3086657216 PROC : db2wdog 0 0
INSTANCE: db2inst1 NODE : 000
FUNCTION: DB2 UDB, base sys utilities, DB2main, probe:115
MESSAGE : SQL1042C An unexpected system error occurred.
CALLED : DB2 UDB, oper system services, sqloRunInstance
RETCODE : ZRC=0x00000001=1
DIA8000C An unexpected end of file was reached "".

I can't see the reason for the message "No principal in keytab matches
desired name", as the desired name should be <instance-owner>/<fqdn>,
and that's what the keytab contains.

Does anyone have an idea on how to solve this?

Thanks in advance,
Benjamin
Dec 18 '06 #1
  • viewed: 2296
Share:

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Joseph Geretz | last post: by
reply views Thread by Les P | last post: by
2 posts views Thread by josh | last post: by
1 post views Thread by russell.lane | last post: by
1 post views Thread by Tina | last post: by
4 posts views Thread by =?Utf-8?B?VGFrdW1p?= | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.