Hi,

Here is my setup. I am not sure whats going wrong here. I am trying to ping from machine "kdc.kerb.com"  to "linux.kerb.com". On system kdc I have,

****************************************************
racoon.conf file :

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
remote anonymous {
    exchange_mode main;
    lifetime time 24 hour;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method gssapi_krb;
        gssapi_id "ike/kdc.kerb.com@KERB.COM";
        dh_group 1;
    }
}

sainfo anonymous
{
    lifetime time 1 hour ;
    encryption_algorithm 3des, blowfish 448, rijndael ;
    authentication_algorithm hmac_sha1, hmac_md5 ;
    compression_algorithm deflate ;
}

*****************************************************
[root@kdc etc] kinit  -k -t  /etc/krb5.keytab  host/kdc.kerb.com
[root@kdc etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/kdc.kerb.com@KERB.COM

Valid starting     Expires            Service principal
12/10/05 15:48:11  12/11/05 01:48:11  krbtgt/KERB.COM@KERB.COM
        renew until 12/11/05 15:48:11


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root@kdc etc]# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2              ike/linux.kerb.com@KERB.COM
   2    2              ike/linux.kerb.com@KERB.COM
   3    2                ike/kdc.kerb.com@KERB.COM
   4    2                ike/kdc.kerb.com@KERB.COM
   5    2             host/linux.kerb.com@KERB.COM
   6    2             host/linux.kerb.com@KERB.COM
   7    2               host/kdc.kerb.com@KERB.COM
   8    2               host/kdc.kerb.com@KERB.COM

**********************************************************

I am getting the error :
ERROR: import name
ERROR: Hostname cannot be canonicalized.

Please see the log below.

I am not sure whats going wrong here. Could you please help ?

- Sandy.

*********************************************************
2005-12-10 16:05:15: DEBUG: dh_group = 768-bit MODP group:768-bit MODP group
2005-12-10 16:05:15: DEBUG: an acceptable proposal found.
2005-12-10 16:05:15: DEBUG: hmac(modp768)
2005-12-10 16:05:15: DEBUG: gss id in new sa 'ike/kdc.kerb.com@KERB.COM'
2005-12-10 16:05:15: DEBUG: GIi is ike/kdc.kerb.com@KERB.COM
2005-12-10 16:05:15: DEBUG: GIr is ike/linux.kerb.com@KERB.COM
2005-12-10 16:05:15: DEBUG: ===
2005-12-10 16:05:15: DEBUG: compute DH's private.
2005-12-10 16:05:15: DEBUG:
6d805428 395f87c3 d7ecc20f 84fcb871 917294a9 cdfcc051 6c38f89b 5d3aeefa
155dce06 cf6ec126 c8cffe5f 558593f8 a4a688ef 9aaf2048 a25a1209 77d9688c
51c7accb 7b65f2f1 410366a6 93d5880d 8c3f164e e79600d5 79c1d405 9a8f3f82
2005-12-10 16:05:15: DEBUG: compute DH's public.
2005-12-10 16:05:15: DEBUG:
1d06149c 8e93b623 f4f94769 df51dffa d6e77480 46080bea b37798c8 707dea23
5049e210 b17bbda7 92140ec5 bfa9925b acd54053 b1b6b929 c9706350 a0a6ba16
072bca18 61720825 8ecef90e 0d4491e8 99d5115f 1a397267 64e27e36 696af74d
2005-12-10 16:05:15: ERROR: import name
2005-12-10 16:05:15: ERROR: Hostname cannot be canonicalized
2005-12-10 16:05:15: ERROR: failed to process packet.
2005-12-10 16:05:15: ERROR: phase1 negotiation failed.
2005-12-10 16:05:25: DEBUG: ===
2005-12-10 16:05:25: DEBUG: 142 bytes message received from 192.168.1.122[500] to 192.168.1.121[500]
2005-12-10 16:05:25: DEBUG:
b3bec1fd 6f92c5dc e00d2ef9 784fd624 01100200 00000000 0000008e 00000072
00000001 00000001 00000066 01010001 0000005e 01010000 800b0001 000c0004
00015180 80010005 8003fde9 80020002 80040001 40000036 69006b00 65002f00
6c006900 6e007500 78002e00 6b006500 72006200 2e006300 6f006d00 40004b00
45005200 42002e00 43004f00 4d00
2005-12-10 16:05:25: DEBUG: malformed cookie received or the spi expired.
2005-12-10 16:05:35: DEBUG: ===
2005-12-10 16:05:35: DEBUG: 142 bytes message received from 192.168.1.122[500] to 192.168.1.121[500]
2005-12-10 16:05:35: DEBUG:
b3bec1fd 6f92c5dc e00d2ef9 784fd624 01100200 00000000 0000008e 00000072
00000001 00000001 00000066 01010001 0000005e 01010000 800b0001 000c0004
00015180 80010005 8003fde9 80020002 80040001 40000036 69006b00 65002f00
6c006900 6e007500 78002e00 6b006500 72006200 2e006300 6f006d00 40004b00
45005200 42002e00 43004f00 4d00
2005-12-10 16:05:35: DEBUG: malformed cookie received or the spi expired.
2005-12-10 16:05:45: DEBUG: ===
2005-12-10 16:05:45: DEBUG: 142 bytes message received from 192.168.1.122[500] to 192.168.1.121[500]
2005-12-10 16:05:45: DEBUG:
b3bec1fd 6f92c5dc e00d2ef9 784fd624 01100200 00000000 0000008e 00000072
00000001 00000001 00000066 01010001 0000005e 01010000 800b0001 000c0004
00015180 80010005 8003fde9 80020002 80040001 40000036 69006b00 65002f00
6c006900 6e007500 78002e00 6b006500 72006200 2e006300 6f006d00 40004b00
45005200 42002e00 43004f00 4d00
2005-12-10 16:05:45: DEBUG: malformed cookie received or the spi expired.
2005-12-10 16:05:45: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.1.122[0]->192.168.1.121[0]
2005-12-10 16:05:45: INFO: delete phase 2 handler.

*************************************end of log ***************************************************************


On 12/9/05, Nathan Herring <nathanh@microsoft.com> wrote:
What happens if you use the full realm info? e.g., host/kdc.kerb.com@KERB.COM (or whatever your REALM is)? In my case I can't get away without specifying the realm, but YMMV. I would use one of the principal names exactly as you'd see if you ran sudo klist -k /etc/krb5.keytab, and see if that gets you further.

-nh