Lots of UNKNOWN_SERVER this time... whoa
Jeff Blaine
jblaine at kickflop.net
Mon Apr 30 14:56:27 EDT 2007
I think I see part of the problem, and don't know who is
to "blame" for it.
The command 'kdb5_util create -r RCF.FOO.COM -s' created
krbtgt/RCF.FOO.COM at RCF.FOO.COM
The authentication process is trying to find
krbtgt/rcf.foo.com at RCF.FOO.COM which does not exist.
Is kdb5_util creating an improperly named krbtgt principal
or is RHELv4 pam_krb5.so improperly naming its requested
principal (lowercasing it)?
Jeff Blaine wrote:
> Hi Russ,
>
> > Your PAM module seems to be probing for a default realm by
> > trying various manipulations of your local hostname. Usually
> > this would indicate that your krb5.conf isn't setting a local
> > realm.
>
> Here's /etc/krb5.conf. Using 'kinit jblaine' asks me for
> the password for jblaine at RCF.FOO.COM, so I believe it is
> using krb5.conf fine.
>
> [libdefaults]
> default_realm = RCF.FOO.COM
> forwardable = yes
>
> [appdefaults]
> forwardable = yes
>
> [domain_realm]
> .foo.com = RCF.FOO.COM
> foo.com = RCF.FOO.COM
>
> [realms]
> RCF.FOO.COM = {
> kdc = kdc.foo.com
> admin_server = kdc.foo.com
> }
>
> [logging]
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kadmin.log
> default = FILE:/var/adm/krb5lib.log
>
> > Does the stock pam_krb5.so on Solaris look for krb5.conf in
> > some different path than the one that you updated, perhaps?
>
> The only Solaris box in the picture is the KDC, kdc.foo.com.
>
> pam_krb5.so is in use on the client, rcf-kerbtest-linux.foo.com
> (aka 129.83.11.213).
>
> All pam_krb5.so modules in use are stock.
>
> >> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ
> >> (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,
> >> jblaine at RCF.FOO.COM for afsx/rcf.foo.com at RCF.FOO.COM, Server not
> >> found in Kerberos database
> >
> > These are interesting. I've not heard of afsx before. What aklog
> > are you using?
>
> Interesting indeed. OpenAFS 1.4.3 aklog.
>
> I just found the reference in the RHELv4 pam_krb5.so
> on the client box:
>
> # strings /lib/security/pam_krb5.so | grep afsx
> afsx
> #
>
More information about the Kerberos
mailing list