Lots of UNKNOWN_SERVER this time... whoa

Jeff Blaine jblaine at kickflop.net
Mon Apr 30 14:56:27 EDT 2007


I think I see part of the problem, and don't know who is
to "blame" for it.

The command 'kdb5_util create -r RCF.FOO.COM -s' created
krbtgt/RCF.FOO.COM at RCF.FOO.COM

The authentication process is trying to find
krbtgt/rcf.foo.com at RCF.FOO.COM which does not exist.

Is kdb5_util creating an improperly named krbtgt principal
or is RHELv4 pam_krb5.so improperly naming its requested
principal (lowercasing it)?

Jeff Blaine wrote:
> Hi Russ,
> 
>  > Your PAM module seems to be probing for a default realm by
>  > trying various manipulations of your local hostname.  Usually
>  > this would indicate that your krb5.conf isn't setting a local
>  > realm.
> 
> Here's /etc/krb5.conf.  Using 'kinit jblaine' asks me for
> the password for jblaine at RCF.FOO.COM, so I believe it is
> using krb5.conf fine.
> 
> [libdefaults]
>     default_realm = RCF.FOO.COM
>     forwardable = yes
> 
> [appdefaults]
>     forwardable = yes
> 
> [domain_realm]
>     .foo.com = RCF.FOO.COM
>     foo.com = RCF.FOO.COM
> 
> [realms]
>     RCF.FOO.COM = {
>         kdc = kdc.foo.com
>         admin_server = kdc.foo.com
> }
> 
> [logging]
>         kdc = FILE:/var/adm/krb5kdc.log
>         admin_server = FILE:/var/adm/kadmin.log
>         default = FILE:/var/adm/krb5lib.log
> 
>  > Does the stock pam_krb5.so on Solaris look for krb5.conf in
>  > some different path than the one that you updated, perhaps?
> 
> The only Solaris box in the picture is the KDC, kdc.foo.com.
> 
> pam_krb5.so is in use on the client, rcf-kerbtest-linux.foo.com
> (aka 129.83.11.213).
> 
> All pam_krb5.so modules in use are stock.
> 
>  >> Apr 23 15:10:44 kdc.foo.com krb5kdc[12698](info): TGS_REQ
>  >> (1 etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1177355435,
>  >> jblaine at RCF.FOO.COM for afsx/rcf.foo.com at RCF.FOO.COM, Server not
>  >> found in Kerberos database
>  >
>  > These are interesting.  I've not heard of afsx before.  What aklog
>  > are you using?
> 
> Interesting indeed.  OpenAFS 1.4.3 aklog.
> 
> I just found the reference in the RHELv4 pam_krb5.so
> on the client box:
> 
>     # strings /lib/security/pam_krb5.so | grep afsx
>     afsx
>     #
> 



More information about the Kerberos mailing list