Lots of UNKNOWN_SERVER this time... whoa

[Russ Allbery]

Jeff Blaine <jblaine at kickflop.net> writes:

> Stumped again :)  Any help would be great.  I am clearly doing something
> poorly.

> Alright, I completely nuked my krb5kdc directory and started over from
> scratch with an all-caps realm name.  I updated krb5.conf and kdc.conf
> accordingly (beforehand).

> Now a simple SINGLE authentication (which works) + AFS token getting via
> pam_afs_session.so (which works) takes 10 seconds and generates 256
> lines of log information!

Your PAM module seems to be probing for a default realm by trying various
manipulations of your local hostname.  Usually this would indicate that
your krb5.conf isn't setting a local realm.

> ==============================================================

> KDC: Solaris 9 + MIT 1.6

> Client: RHELv4 + stock SSH + stock pam_krb5.so + pam_afs_session.so

Does the stock pam_krb5.so on Solaris look for krb5.conf in some different
path than the one that you updated, perhaps?

> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ (1 etypes {1}) 
> 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,  jblaine at RCF.FOO.COM 
> for afsx/rcf.foo.com at RCF.FOO.COM, Server not found in Kerberos database
> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ (1 etypes {2}) 
> 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,  jblaine at RCF.FOO.COM 
> for afsx/rcf.foo.com at RCF.FOO.COM, Server not found in Kerberos database
> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ (1 etypes {3}) 
> 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,  jblaine at RCF.FOO.COM 
> for afsx/rcf.foo.com at RCF.FOO.COM, Server not found in Kerberos database

These are interesting.  I've not heard of afsx before.  What aklog are you
using?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>