UNKNOWN_SERVER Error on KRB5?

Jeffrey Altman jaltman2 at nyc.rr.com
Tue May 11 09:38:21 EDT 2004 

What enctypes are supported for the principal

	KRBTEST at SEC400.ITC.RITEAID.COM

??



Joe Bryant wrote:
> "Jeffrey Altman" <jaltman2 at nyc.rr.com> wrote in message
> news:409FEA22.7060505 at nyc.rr.com...
> 
>>What error messages do you receive in the KDC logs when you use the
>>upper cased name from the runas?
> 
> 
> With lowercase ID:
> 
> May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3
> 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: krbtest at SEC400.ITC.RITEAID.COM
> for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> pre-authentication required
> May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> 10.3.1.70(88): ISSUE: authtime 1084281164, etypes {rep=3 tkt=16 ses=1},
> krbtest at SEC400.ITC.RITEAID.COM for
> krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
> May 11 09:12:44 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes {23 -133 -128 3
> 1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1084281164,
> krbtest at SEC400.ITC.RITEAID.COM for
> krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not found
> in Kerberos database
> 
> With uppercase ID:
> 
> May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3
> 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: KRBTEST at SEC400.ITC.RITEAID.COM
> for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> pre-authentication required
> May 11 09:14:00 SEC400 krb5kdc[208](info): preauth (timestamp) verify
> failure: No matching key in entry
> May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> 10.3.1.70(88): PREAUTH_FAILED: KRBTEST at SEC400.ITC.RITEAID.COM for
> krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Preauthentication
> failed
> May 11 09:14:00 SEC400 krb5kdc[208](info): no valid preauth type found:
> Success
> May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> 10.3.1.70(88): PREAUTH_FAILED: KRBTEST at SEC400.ITC.RITEAID.COM for
> krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Preauthentication
> failed
> May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated
> (retransmitted?) request from 10.3.1.70 port 88, resending previous response
> May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated
> (retransmitted?) request from 10.3.1.70 port 88, resending previous response
> 
> 
> 
>>Did you reconfigure the Windows machine to authenticate to the Linux KDC
>>with KSETUP.EXE?
> 
> 
> Current ksetup (have tried others):
> 
> Machine is not configured to log on to an external KDC.  Probably a
> workgroup member
> ITC.RITEAID.COM:
>         kdc = sy29.s390.riteaid.com
>         Realm Flags = 0x0 none
> SEC400.ITC.RITEAID.COM:
>         kdc = SEC400.ITC.RITEAID.COM
>         Realm Flags = 0x0 none
> No user mappings defined.
> 
> 
> 
>>Why do you need to use RUNAS at all?
> 
> 
> Runas is the only way we have seen to get tickets available to a program
> dynam, and since we have to launch a program based on WHO did the biometric
> scan, it was the only option we saw. Always open to others if you know any.
> 
> 
>>Jeffrey Altman
>>
>>
>>Joe Bryant wrote:
>>
>>>I am very new to Kerberos, and trying to do what seems a very complex
> 
> task
> 
>>>with it. We are a big mainframe 390/zOS shop, with AS/400's, and Windows
>>>clients. We currently have the zOS configured as a KDC, and can point a
>>>Windows box to it to get a TGT, then a service ticket, to access the
> 
> AS/400
> 
>>>through the windows "runas" command, and all works well. Of course, that
> 
> is
> 
>>>not exactly what we NEED, so I have to add a Linux/KRB5 kdc, because we
> 
> need
> 
>>>to be able to force the passwords on the ID as part of a behind the
> 
> scenes
> 
>>>biometric solution. Now, with all that said, most is not important to my
>>>real problem. The issue is, when I point the windows box to my new kdc
> 
> on
> 
>>>Linux, I run into a couple of issues I do not really understand.
>>>
>>>First, we were using an upper case userid. When I create one in this
>>>configureation, I can get it from the windows box using leash32 to test,
> 
> but
> 
>>>it fails when using the runas. With all else the same, a lower case ID
> 
> is
> 
>>>successful at retreiving a TGT.
>>>
>>>Second, when I do get a TGT, and a second call is made to get the
> 
> service
> 
>>>ticket, I get at my server a messages:
>>>
>>>May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (7 etypes
> 
> {23 -133 -128 3
> 
>>>1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH:
> 
> krbtest at SEC400.ITC.RITEAID.COM
> 
>>>for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
>>>pre-authentication required
>>>May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
>>>10.3.1.70(88): ISSUE: authtime 1083943529, etypes {rep=3 tkt=16 ses=1},
>>>krbtest at SEC400.ITC.RITEAID.COM for
>>>krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
>>>May 07 11:25:29 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes
> 
> {23 -133 -128 3
> 
>>>1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1083943529,
>>>krbtest at SEC400.ITC.RITEAID.COM for
>>>krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not
> 
> found
> 
>>>in Kerberos database
>>>
>>>I have tried every thing I could think of, but just can't seem to make
> 
> any
> 
>>>headway. Any advice from some of you long time KRB experts would be
> 
> greatly
> 
>>>appreciated.
>>>
>>>Joe Bryant
>>>Sr. Sys. Prog.
>>>Rite Aid Corp.
>>>
>>>
>>
>>-- 
>>-----------------
>>This e-mail account is not read on a regular basis.
>>Please send private responses to jaltman at mit dot edu
> 
> 
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list