I am facing this error when i change the url in server.xml for the ldapserver
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]; remaining name 'DC=mydomain,DC=com'
in server.xml when i change the url to ldap.mydoain.com instead of xyz.mydomain.com
in etc/hosts the ip adress and the new domainname also added.
the subdomain ldap refers to the subdomain xyz but I want to use ldap instead of xyz, the address of the ldap is xyz.mydoain.com but i want just use instead of xzy the name ldap as sub domain. I cannot connect via ldap.mydomain.com to ldapserver via a gui but not from apacheserver.
The error is pointing at "remaining name 'DC=mydomain,DC=com'" there are the same errors with Server not found in Kerberos database without remaining name 'DC=mydomain,DC=com'
What does it mean the part in the error message remaining name 'DC=mydomain,DC=com' ? Thx for your helps
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]; remaining name 'DC=mydomain,DC=com'
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] at jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:222) at java.naming/com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:172) ... 38 more Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:773) at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:266) at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196) at jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203) ... 39 more Caused by: KrbException: Fail to create credential. (63) - No service creds at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:458) at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340) at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314) at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169) at java.security.jgss/sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490) at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:697)
Since you're using Kerberos authentication (GSSAPI), the LDAP server's URL configured in the client must match the server's "actual" FQDN. For example, if your server is named addc01.example.com, then that is what you must specify in the config, and if you really want to access it by a different name, you need to register that name as a Kerberos SPN for the server.
The exact behavior differs between platforms:
Windows clients always directly use the name that was given, therefore CNAME aliases will not automatically work (though can be made to work by manually registering the additional Kerberos SPN for the LDAP server), and DNS round-robin names won't work either (because Kerberos does not support a single principal resolving to multiple keys so you can't assign the same SPN to multiple machines).
Linux clients canonicalize the name through DNS (both forward and reverse), so CNAME aliases may work, but DNS round-robin names (i.e. multiple A records) require reverse-DNS to be set up so that the client could look up the server's IP address back to its individual name.
The last part of the error message which talks about an LDAP DN is irrelevant, since the client didn't even get to the point where it could make an LDAP search in the first place.