UNKNOWN_SERVER - Server not ,found in Kerberos database - Kerberos

This is a discussion on UNKNOWN_SERVER - Server not ,found in Kerberos database - Kerberos ; As always with things like this, it's hard to determine whether to send this here or to openafs-info. Can anyone tell me what is going on here? This is what krb5kdc logged when I logged into 129.83.11.213. -- sshd + ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: UNKNOWN_SERVER - Server not ,found in Kerberos database

  1. UNKNOWN_SERVER - Server not ,found in Kerberos database

    As always with things like this, it's hard to determine
    whether to send this here or to openafs-info.

    Can anyone tell me what is going on here? This is what
    krb5kdc logged when I logged into 129.83.11.213.

    -- sshd + UsePAM
    -- pam_krb5.so (RHELv4)
    -- pam_afs_session.so (PAM session module which uses aklog to
    get tokens from a K5 ticket).

    Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    found in Kerberos database

    Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    found in Kerberos database

    Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
    tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    Jeff Blaine writes:

    > Can anyone tell me what is going on here? This is what
    > krb5kdc logged when I logged into 129.83.11.213.


    > -- sshd + UsePAM
    > -- pam_krb5.so (RHELv4)
    > -- pam_afs_session.so (PAM session module which uses aklog to
    > get tokens from a K5 ticket).


    > Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    > etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    > jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    > found in Kerberos database


    > Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    > etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    > jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    > found in Kerberos database


    > Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    > etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
    > tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com


    This looks normal to me. aklog tries the afs/ principal first, and
    when it doesn't work, falls back on the older afs@ principal. Is anything
    not working, or were you just wondering about the log messages?

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    Jeffrey Altman wrote:
    > Jeff Blaine wrote:
    >> As always with things like this, it's hard to determine
    >> whether to send this here or to openafs-info.
    >>
    >> Can anyone tell me what is going on here? This is what
    >> krb5kdc logged when I logged into 129.83.11.213.
    >>
    >> -- sshd + UsePAM
    >> -- pam_krb5.so (RHELv4)
    >> -- pam_afs_session.so (PAM session module which uses aklog to
    >> get tokens from a K5 ticket).
    >>
    >> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    >> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    >> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    >> found in Kerberos database
    >>
    >> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    >> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    >> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    >> found in Kerberos database
    >>
    >> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    >> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
    >> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com

    >
    > Do you really have a lowercased realm?


    Yes. No good?
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    Russ Allbery wrote:
    > Jeff Blaine writes:
    >
    >> Can anyone tell me what is going on here? This is what
    >> krb5kdc logged when I logged into 129.83.11.213.

    >
    >> -- sshd + UsePAM
    >> -- pam_krb5.so (RHELv4)
    >> -- pam_afs_session.so (PAM session module which uses aklog to
    >> get tokens from a K5 ticket).

    >
    >> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    >> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    >> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    >> found in Kerberos database

    >
    >> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    >> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
    >> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
    >> found in Kerberos database

    >
    >> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
    >> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
    >> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com

    >
    > This looks normal to me. aklog tries the afs/ principal first, and
    > when it doesn't work, falls back on the older afs@ principal. Is anything
    > not working, or were you just wondering about the log messages?


    I had a feeling that was the case. Nothing is broken. I was
    just curious about the messages.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    Jeff Blaine writes:
    > Jeffrey Altman wrote:


    >> Do you really have a lowercased realm?


    > Yes. No good?


    Well, it does work, it's just interesting. It's not really recommended,
    and up until now I thought we were the only people who deployed one in
    production.

    It causes a few annoyances. I wouldn't do it again.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    Jeff Blaine wrote:
    > Jeffrey Altman wrote:
    >
    >>> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com
    >>>

    >> Do you really have a lowercased realm?
    >>

    >
    > Yes. No good?
    >

    Not for the best. Active Directory assumes upper case everything for
    example.

    The FAQ at
    http://www.cmf.nrl.navy.mil/CCS/peop...aq.html#realms says;

    "The convention to use uppercase for realms names arose out of the
    desire to easily distinguish between DNS domain names (which are
    actually case-insensitive) and Kerberos realms. The Kerberos realm name
    /is/ case sensitive (the realm foo.org is different than the realm
    FOO.ORG). You are not required to have an uppercase Kerberos realm, but
    I would strongly advise it.

    It is worth noting that the recent revisions to the Kerberos standard
    have specified that uppercase realm names are preferred and lowercase
    realm names have been depreciated."

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    Edward Murrell writes:

    > It is worth noting that the recent revisions to the Kerberos standard
    > have specified that uppercase realm names are preferred and lowercase
    > realm names have been depreciated."


    Those of us with lowercase realm names have written off their full
    purchase price on our taxes.

    --
    Russ Allbery (rra@stanford.edu)
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: UNKNOWN_SERVER - Server not ,found in Kerberos database

    In article <87k5w9qtdm.fsf@windlord.stanford.edu>,
    rra@stanford.edu (Russ Allbery) wrote:

    > Jeff Blaine writes:
    > > Jeffrey Altman wrote:

    >
    > >> Do you really have a lowercased realm?

    >
    > > Yes. No good?

    >
    > Well, it does work, it's just interesting. It's not really recommended,
    > and up until now I thought we were the only people who deployed one in
    > production.
    >
    > It causes a few annoyances. I wouldn't do it again.


    University of Washington. Started out as a DCE cell, which
    was never deployed but the krb5 realm inherited the name.

    Donn Cave, donn@u.washington.edu

+ Reply to Thread