UNKNOWN_SERVER - Server not ,found in Kerberos database

Jeffrey Altman jaltman at secure-endpoints.com
Wed Apr 18 17:16:29 EDT 2007


Jeff Blaine wrote:
> Jeffrey Altman wrote:
>> Jeff Blaine wrote:
>>> As always with things like this, it's hard to determine
>>> whether to send this here or to openafs-info.
>>>
>>> Can anyone tell me what is going on here?  This is what
>>> krb5kdc logged when I logged into 129.83.11.213.
>>>
>>> -- sshd + UsePAM
>>> -- pam_krb5.so (RHELv4)
>>> -- pam_afs_session.so (PAM session module which uses aklog to
>>>     get tokens from a K5 ticket).
>>>
>>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>>> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>>> jblaine at rcf.foo.com for afs/rcf.foo.com at rcf.foo.com, Server not
>>> found in Kerberos database
>>>
>>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>>> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>>> jblaine at rcf.foo.com for afs/rcf.foo.com at rcf.foo.com, Server not
>>> found in Kerberos database
>>>
>>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>>> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
>>> tkt=1 ses=1}, jblaine at rcf.foo.com for afs at rcf.foo.com
>>
>> Do you really have a lowercased realm?
>
> Yes.  No good?

Its not recommended.  From RFC 4120 Section 6.1 Realm Names:

" Domain style realm names MUST look like domain names: they consist of
components separated by periods (.) and they contain neither colons (:)
nor slashes (/). Though domain names themselves are case insensitive, in
order for realms to match, the case must match as well. When
establishing a new realm name based on an internet domain name it is
recommended by convention that the characters be converted to uppercase."

Since your realm names are lowercase, the error messages above indicate
that your KDC does not know of a principal called
afs/rcf.foo.com at rcf.foo.com but does not of one called afs at rcf.foo.com.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070418/d0939892/attachment.bin


More information about the Kerberos mailing list