Lots of UNKNOWN_SERVER this time... whoa
Russ Allbery
rra at stanford.edu
Mon Apr 23 18:08:19 EDT 2007
Jeff Blaine <jblaine at kickflop.net> writes:
> Stumped again :) Any help would be great. I am clearly doing something
> poorly.
> Alright, I completely nuked my krb5kdc directory and started over from
> scratch with an all-caps realm name. I updated krb5.conf and kdc.conf
> accordingly (beforehand).
> Now a simple SINGLE authentication (which works) + AFS token getting via
> pam_afs_session.so (which works) takes 10 seconds and generates 256
> lines of log information!
Your PAM module seems to be probing for a default realm by trying various
manipulations of your local hostname. Usually this would indicate that
your krb5.conf isn't setting a local realm.
> ==============================================================
> KDC: Solaris 9 + MIT 1.6
> Client: RHELv4 + stock SSH + stock pam_krb5.so + pam_afs_session.so
Does the stock pam_krb5.so on Solaris look for krb5.conf in some different
path than the one that you updated, perhaps?
> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ (1 etypes {1})
> 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435, jblaine at RCF.FOO.COM
> for afsx/rcf.foo.com at RCF.FOO.COM, Server not found in Kerberos database
> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ (1 etypes {2})
> 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435, jblaine at RCF.FOO.COM
> for afsx/rcf.foo.com at RCF.FOO.COM, Server not found in Kerberos database
> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ (1 etypes {3})
> 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435, jblaine at RCF.FOO.COM
> for afsx/rcf.foo.com at RCF.FOO.COM, Server not found in Kerberos database
These are interesting. I've not heard of afsx before. What aklog are you
using?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list