UNKNOWN_SERVER Error on KRB5?

Tue May 11 09:40:51 EDT 2004

I am not sure how to see that, but it was created in exactly the same way as
the krbtest ID.

"Jeffrey Altman" <jaltman2 at nyc.rr.com> wrote in message
news:40A0D7D8.4030802 at nyc.rr.com...
> What enctypes are supported for the principal
>
> KRBTEST at SEC400.ITC.RITEAID.COM
>
> ??
>
>
>
> Joe Bryant wrote:
> > "Jeffrey Altman" <jaltman2 at nyc.rr.com> wrote in message
> > news:409FEA22.7060505 at nyc.rr.com...
> >
> >>What error messages do you receive in the KDC logs when you use the
> >>upper cased name from the runas?
> >
> >
> > With lowercase ID:
> >
> > May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (7 etypes
{23 -133 -128 3
> > 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH:
krbtest at SEC400.ITC.RITEAID.COM
> > for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> > pre-authentication required
> > May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> > 10.3.1.70(88): ISSUE: authtime 1084281164, etypes {rep=3 tkt=16 ses=1},
> > krbtest at SEC400.ITC.RITEAID.COM for
> > krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
> > May 11 09:12:44 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes
{23 -133 -128 3
> > 1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1084281164,
> > krbtest at SEC400.ITC.RITEAID.COM for
> > krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not
found
> > in Kerberos database
> >
> > With uppercase ID:
> >
> > May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (7 etypes
{23 -133 -128 3
> > 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH:
KRBTEST at SEC400.ITC.RITEAID.COM
> > for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> > pre-authentication required
> > May 11 09:14:00 SEC400 krb5kdc[208](info): preauth (timestamp) verify
> > failure: No matching key in entry
> > May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> > 10.3.1.70(88): PREAUTH_FAILED: KRBTEST at SEC400.ITC.RITEAID.COM for
> > krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Preauthentication
> > failed
> > May 11 09:14:00 SEC400 krb5kdc[208](info): no valid preauth type found:
> > Success
> > May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> > 10.3.1.70(88): PREAUTH_FAILED: KRBTEST at SEC400.ITC.RITEAID.COM for
> > krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Preauthentication
> > failed
> > May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated
> > (retransmitted?) request from 10.3.1.70 port 88, resending previous
response
> > May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated
> > (retransmitted?) request from 10.3.1.70 port 88, resending previous
response
> >
> >
> >
> >>Did you reconfigure the Windows machine to authenticate to the Linux KDC
> >>with KSETUP.EXE?
> >
> >
> > Current ksetup (have tried others):
> >
> > Machine is not configured to log on to an external KDC.  Probably a
> > workgroup member
> > ITC.RITEAID.COM:
> >         kdc = sy29.s390.riteaid.com
> >         Realm Flags = 0x0 none
> > SEC400.ITC.RITEAID.COM:
> >         kdc = SEC400.ITC.RITEAID.COM
> >         Realm Flags = 0x0 none
> > No user mappings defined.
> >
> >
> >
> >>Why do you need to use RUNAS at all?
> >
> >
> > Runas is the only way we have seen to get tickets available to a program
> > dynam, and since we have to launch a program based on WHO did the
biometric
> > scan, it was the only option we saw. Always open to others if you know
any.
> >
> >
> >>Jeffrey Altman
> >>
> >>
> >>Joe Bryant wrote:
> >>
> >>>I am very new to Kerberos, and trying to do what seems a very complex
> >
> > task
> >
> >>>with it. We are a big mainframe 390/zOS shop, with AS/400's, and
Windows
> >>>clients. We currently have the zOS configured as a KDC, and can point a
> >>>Windows box to it to get a TGT, then a service ticket, to access the
> >
> > AS/400
> >
> >>>through the windows "runas" command, and all works well. Of course,
that
> >
> > is
> >
> >>>not exactly what we NEED, so I have to add a Linux/KRB5 kdc, because we
> >
> > need
> >
> >>>to be able to force the passwords on the ID as part of a behind the
> >
> > scenes
> >
> >>>biometric solution. Now, with all that said, most is not important to
my
> >>>real problem. The issue is, when I point the windows box to my new kdc
> >
> > on
> >
> >>>Linux, I run into a couple of issues I do not really understand.
> >>>
> >>>First, we were using an upper case userid. When I create one in this
> >>>configureation, I can get it from the windows box using leash32 to
test,
> >
> > but
> >
> >>>it fails when using the runas. With all else the same, a lower case ID
> >
> > is
> >
> >>>successful at retreiving a TGT.
> >>>
> >>>Second, when I do get a TGT, and a second call is made to get the
> >
> > service
> >
> >>>ticket, I get at my server a messages:
> >>>
> >>>May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (7 etypes
> >
> > {23 -133 -128 3
> >
> >>>1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH:
> >
> > krbtest at SEC400.ITC.RITEAID.COM
> >
> >>>for krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM, Additional
> >>>pre-authentication required
> >>>May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1})
> >>>10.3.1.70(88): ISSUE: authtime 1083943529, etypes {rep=3 tkt=16 ses=1},
> >>>krbtest at SEC400.ITC.RITEAID.COM for
> >>>krbtgt/SEC400.ITC.RITEAID.COM at SEC400.ITC.RITEAID.COM
> >>>May 07 11:25:29 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes
> >
> > {23 -133 -128 3
> >
> >>>1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1083943529,
> >>>krbtest at SEC400.ITC.RITEAID.COM for
> >>>krbsvr400/sys400c.itc.riteaid.com at SEC400.ITC.RITEAID.COM, Server not
> >
> > found
> >
> >>>in Kerberos database
> >>>
> >>>I have tried every thing I could think of, but just can't seem to make
> >
> > any
> >
> >>>headway. Any advice from some of you long time KRB experts would be
> >
> > greatly
> >
> >>>appreciated.
> >>>
> >>>Joe Bryant
> >>>Sr. Sys. Prog.
> >>>Rite Aid Corp.
> >>>
> >>>
> >>
> >>-- 
> >>-----------------
> >>This e-mail account is not read on a regular basis.
> >>Please send private responses to jaltman at mit dot edu
> >
> >
> >
>
> -- 
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot edu