UNKNOWN_SERVER Error on KRB5?

Joe Bryant JBryant at RiteAid.com
Mon May 10 15:51:17 EDT 2004


I am very new to Kerberos, and trying to do what seems a very complex task
with it. We are a big mainframe 390/zOS shop, with AS/400's, and Windows
clients. We currently have the zOS configured as a KDC, and can point a
Windows box to it to get a TGT, then a service ticket, to access the AS/400
through the windows "runas" command, and all works well. Of course, that is
not exactly what we NEED, so I have to add a Linux/KRB5 kdc, because we need
to be able to force the passwords on the ID as part of a behind the scenes
biometric solution. Now, with all that said, most is not important to my
real problem. The issue is, when I point the windows box to my new kdc on
Linux, I run into a couple of issues I do not really understand.

First, we were using an upper case userid. When I create one in this
configureation, I can get it from the windows box using leash32 to test, but
it fails when using the runas. With all else the same, a lower case ID is
successful at retreiving a TGT.

Second, when I do get a TGT, and a second call is made to get the service
ticket, I get at my server a messages:

May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: krbtest at SEC400.ITC.RITEAID.COM
for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
pre-authentication required
May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
10.3.1.70(88): ISSUE: authtime 1083943529, etypes {rep=3 tkt=16 ses=1},
krbtest at SEC400.ITC.RITEAID.COM for
krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
May 07 11:25:29 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1083943529,
krbtest at SEC400.ITC.RITEAID.COM for
krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not found
in Kerberos database

I have tried every thing I could think of, but just can't seem to make any
headway. Any advice from some of you long time KRB experts would be greatly
appreciated.

Joe Bryant
Sr. Sys. Prog.
Rite Aid Corp.




More information about the Kerberos mailing list