UNKNOWN_SERVER Error on KRB5?

Joe Bryant JBryant at RiteAid.com
Tue May 11 09:14:05 EDT 2004 

"Jeffrey Altman" <jaltman2 at nyc.rr.com> wrote in message
news:409FEA22.7060505 at nyc.rr.com...
> What error messages do you receive in the KDC logs when you use the
> upper cased name from the runas?

With lowercase ID:

May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: krbtest at SEC400.ITC.RITEAID.COM
for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
pre-authentication required
May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
10.3.1.70(88): ISSUE: authtime 1084281164, etypes {rep=3 tkt=16 ses=1},
krbtest at SEC400.ITC.RITEAID.COM for
krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
May 11 09:12:44 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1084281164,
krbtest at SEC400.ITC.RITEAID.COM for
krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not found
in Kerberos database

With uppercase ID:

May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: KRBTEST at SEC400.ITC.RITEAID.COM
for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
pre-authentication required
May 11 09:14:00 SEC400 krb5kdc[208](info): preauth (timestamp) verify
failure: No matching key in entry
May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
10.3.1.70(88): PREAUTH_FAILED: KRBTEST at SEC400.ITC.RITEAID.COM for
krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Preauthentication
failed
May 11 09:14:00 SEC400 krb5kdc[208](info): no valid preauth type found:
Success
May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
10.3.1.70(88): PREAUTH_FAILED: KRBTEST at SEC400.ITC.RITEAID.COM for
krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Preauthentication
failed
May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated
(retransmitted?) request from 10.3.1.70 port 88, resending previous response
May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated
(retransmitted?) request from 10.3.1.70 port 88, resending previous response


>
> Did you reconfigure the Windows machine to authenticate to the Linux KDC
> with KSETUP.EXE?

Current ksetup (have tried others):

Machine is not configured to log on to an external KDC.  Probably a
workgroup member
ITC.RITEAID.COM:
        kdc = sy29.s390.riteaid.com
        Realm Flags = 0x0 none
SEC400.ITC.RITEAID.COM:
        kdc = SEC400.ITC.RITEAID.COM
        Realm Flags = 0x0 none
No user mappings defined.


>
> Why do you need to use RUNAS at all?

Runas is the only way we have seen to get tickets available to a program
dynam, and since we have to launch a program based on WHO did the biometric
scan, it was the only option we saw. Always open to others if you know any.

>
> Jeffrey Altman
>
>
> Joe Bryant wrote:
> > I am very new to Kerberos, and trying to do what seems a very complex
task
> > with it. We are a big mainframe 390/zOS shop, with AS/400's, and Windows
> > clients. We currently have the zOS configured as a KDC, and can point a
> > Windows box to it to get a TGT, then a service ticket, to access the
AS/400
> > through the windows "runas" command, and all works well. Of course, that
is
> > not exactly what we NEED, so I have to add a Linux/KRB5 kdc, because we
need
> > to be able to force the passwords on the ID as part of a behind the
scenes
> > biometric solution. Now, with all that said, most is not important to my
> > real problem. The issue is, when I point the windows box to my new kdc
on
> > Linux, I run into a couple of issues I do not really understand.
> >
> > First, we were using an upper case userid. When I create one in this
> > configureation, I can get it from the windows box using leash32 to test,
but
> > it fails when using the runas. With all else the same, a lower case ID
is
> > successful at retreiving a TGT.
> >
> > Second, when I do get a TGT, and a second call is made to get the
service
> > ticket, I get at my server a messages:
> >
> > May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (7 etypes
{23 -133 -128 3
> > 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH:
krbtest at SEC400.ITC.RITEAID.COM
> > for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> > pre-authentication required
> > May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> > 10.3.1.70(88): ISSUE: authtime 1083943529, etypes {rep=3 tkt=16 ses=1},
> > krbtest at SEC400.ITC.RITEAID.COM for
> > krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
> > May 07 11:25:29 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes
{23 -133 -128 3
> > 1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1083943529,
> > krbtest at SEC400.ITC.RITEAID.COM for
> > krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not
found
> > in Kerberos database
> >
> > I have tried every thing I could think of, but just can't seem to make
any
> > headway. Any advice from some of you long time KRB experts would be
greatly
> > appreciated.
> >
> > Joe Bryant
> > Sr. Sys. Prog.
> > Rite Aid Corp.
> >
> >
>
> -- 
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list