Lots of UNKNOWN_SERVER this time... whoa

Jeff Blaine jblaine at kickflop.net
Tue Apr 24 13:11:40 EDT 2007


Hi Russ,

 > Your PAM module seems to be probing for a default realm by
 > trying various manipulations of your local hostname.  Usually
 > this would indicate that your krb5.conf isn't setting a local
 > realm.

Here's /etc/krb5.conf.  Using 'kinit jblaine' asks me for
the password for jblaine at RCF.FOO.COM, so I believe it is
using krb5.conf fine.

[libdefaults]
     default_realm = RCF.FOO.COM
     forwardable = yes

[appdefaults]
     forwardable = yes

[domain_realm]
     .foo.com = RCF.FOO.COM
     foo.com = RCF.FOO.COM

[realms]
     RCF.FOO.COM = {
         kdc = kdc.foo.com
         admin_server = kdc.foo.com
}

[logging]
         kdc = FILE:/var/adm/krb5kdc.log
         admin_server = FILE:/var/adm/kadmin.log
         default = FILE:/var/adm/krb5lib.log

 > Does the stock pam_krb5.so on Solaris look for krb5.conf in
 > some different path than the one that you updated, perhaps?

The only Solaris box in the picture is the KDC, kdc.foo.com.

pam_krb5.so is in use on the client, rcf-kerbtest-linux.foo.com
(aka 129.83.11.213).

All pam_krb5.so modules in use are stock.

 >> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ
 >> (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,
 >> jblaine at RCF.FOO.COM for afsx/rcf.foo.com at RCF.FOO.COM, Server not
 >> found in Kerberos database
 >
 > These are interesting.  I've not heard of afsx before.  What aklog
 > are you using?

Interesting indeed.  OpenAFS 1.4.3 aklog.

I just found the reference in the RHELv4 pam_krb5.so
on the client box:

     # strings /lib/security/pam_krb5.so | grep afsx
     afsx
     #



More information about the Kerberos mailing list