UNKNOWN_SERVER Error on KRB5?
Jeffrey Altman
jaltman2 at nyc.rr.com
Mon May 10 16:44:06 EDT 2004
What error messages do you receive in the KDC logs when you use the
upper cased name from the runas?
Did you reconfigure the Windows machine to authenticate to the Linux KDC
with KSETUP.EXE?
Why do you need to use RUNAS at all?
Jeffrey Altman
Joe Bryant wrote:
> I am very new to Kerberos, and trying to do what seems a very complex task
> with it. We are a big mainframe 390/zOS shop, with AS/400's, and Windows
> clients. We currently have the zOS configured as a KDC, and can point a
> Windows box to it to get a TGT, then a service ticket, to access the AS/400
> through the windows "runas" command, and all works well. Of course, that is
> not exactly what we NEED, so I have to add a Linux/KRB5 kdc, because we need
> to be able to force the passwords on the ID as part of a behind the scenes
> biometric solution. Now, with all that said, most is not important to my
> real problem. The issue is, when I point the windows box to my new kdc on
> Linux, I run into a couple of issues I do not really understand.
>
> First, we were using an upper case userid. When I create one in this
> configureation, I can get it from the windows box using leash32 to test, but
> it fails when using the runas. With all else the same, a lower case ID is
> successful at retreiving a TGT.
>
> Second, when I do get a TGT, and a second call is made to get the service
> ticket, I get at my server a messages:
>
> May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3
> 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: krbtest at SEC400.ITC.RITEAID.COM
> for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> pre-authentication required
> May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> 10.3.1.70(88): ISSUE: authtime 1083943529, etypes {rep=3 tkt=16 ses=1},
> krbtest at SEC400.ITC.RITEAID.COM for
> krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
> May 07 11:25:29 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes {23 -133 -128 3
> 1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1083943529,
> krbtest at SEC400.ITC.RITEAID.COM for
> krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not found
> in Kerberos database
>
> I have tried every thing I could think of, but just can't seem to make any
> headway. Any advice from some of you long time KRB experts would be greatly
> appreciated.
>
> Joe Bryant
> Sr. Sys. Prog.
> Rite Aid Corp.
>
>
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list