krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
Will
westes-usc at noemail.nospam
Sun Jul 9 01:30:49 EDT 2006
"Richard E. Silverman" <res at qoxp.net> wrote in message
news:m27j2ofpkf.fsf at darwin.oankali.net...
> >>>>> "Will" == Will <DELETE_westes at earthbroadcast.com> writes:
> Will> "Richard E. Silverman" <res at qoxp.net> wrote in message
> Will> news:m2slldfia5.fsf at darwin.oankali.net... By example, member
> Will> server A is contacting domain controller my-dc1 in Windows
> Will> domain hq.corp.com. What I am seeing in the sniffer trace is
> Will> that the member server A asks the my-dc1 domain controller in
> Will> its role as a Kerberos ticket granter for a ticket to the domain
> Will> (i.e., krbtgt/hq.corp.com).
> >> Is the realm in the request also correct?
>
> Will> I'm not a Kerberos person, so I don't understand the question.
> Will> Are you asking if the is the Windows domain name being spelled
> Will> correctly? The answer to that would be yes.
>
> No; the full principal name should be (I guess)
> krbtgt/hq.corp.com at HQ.CORP.COM; the final part is the Kerberos "realm."
> It may not be represented this way in the network trace, but there should
> be a "realm" part of the data structure nearby.
In a sniffer trace, the REALM: parameter is filled in as HQ.CORP.COM, so
apparently it is correct.
I looked more carefully, and it looks like your original guess is still on
the right track. The request for the following is succeeding:
krbtgt/hq.corp.com
The request for the following is failing:
HOST/hq.corp.com
And there is no userid named "Host" on the domain controller which is the
ticket granting server. Any idea on why kerberos client is asking for
this HOST record, and is it a normal thing for it to ask for such a record
for the realm itself and fail?
--
Will
More information about the Kerberos
mailing list