f



UNKNOWN_SERVER - Server not ,found in Kerberos database

As always with things like this, it's hard to determine
whether to send this here or to openafs-info.

Can anyone tell me what is going on here?  This is what
krb5kdc logged when I logged into 129.83.11.213.

-- sshd + UsePAM
-- pam_krb5.so (RHELv4)
-- pam_afs_session.so (PAM session module which uses aklog to
    get tokens from a K5 ticket).

Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
found in Kerberos database

Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
found in Kerberos database

Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jblaine1 (118)
4/18/2007 8:55:04 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

7 Replies
3610 Views

Similar Articles

[PageSpeed] 13

Jeff Blaine <jblaine@kickflop.net> writes:

> Can anyone tell me what is going on here?  This is what
> krb5kdc logged when I logged into 129.83.11.213.

> -- sshd + UsePAM
> -- pam_krb5.so (RHELv4)
> -- pam_afs_session.so (PAM session module which uses aklog to
>     get tokens from a K5 ticket).

> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
> found in Kerberos database

> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
> found in Kerberos database

> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com

This looks normal to me.  aklog tries the afs/<cell> principal first, and
when it doesn't work, falls back on the older afs@ principal.  Is anything
not working, or were you just wondering about the log messages?

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
rra9 (667)
4/18/2007 9:05:13 PM
Jeffrey Altman wrote:
> Jeff Blaine wrote:
>> As always with things like this, it's hard to determine
>> whether to send this here or to openafs-info.
>>
>> Can anyone tell me what is going on here?  This is what
>> krb5kdc logged when I logged into 129.83.11.213.
>>
>> -- sshd + UsePAM
>> -- pam_krb5.so (RHELv4)
>> -- pam_afs_session.so (PAM session module which uses aklog to
>>     get tokens from a K5 ticket).
>>
>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
>> found in Kerberos database
>>
>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
>> found in Kerberos database
>>
>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
>> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com
> 
> Do you really have a lowercased realm?

Yes.  No good?
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jblaine1 (118)
4/18/2007 9:07:23 PM
Russ Allbery wrote:
> Jeff Blaine <jblaine@kickflop.net> writes:
> 
>> Can anyone tell me what is going on here?  This is what
>> krb5kdc logged when I logged into 129.83.11.213.
> 
>> -- sshd + UsePAM
>> -- pam_krb5.so (RHELv4)
>> -- pam_afs_session.so (PAM session module which uses aklog to
>>     get tokens from a K5 ticket).
> 
>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
>> found in Kerberos database
> 
>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>> jblaine@rcf.foo.com for afs/rcf.foo.com@rcf.foo.com, Server not
>> found in Kerberos database
> 
>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
>> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com
> 
> This looks normal to me.  aklog tries the afs/<cell> principal first, and
> when it doesn't work, falls back on the older afs@ principal.  Is anything
> not working, or were you just wondering about the log messages?

I had a feeling that was the case.  Nothing is broken.  I was
just curious about the messages.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
jblaine1 (118)
4/18/2007 9:08:25 PM
Jeff Blaine <jblaine@kickflop.net> writes:
> Jeffrey Altman wrote:

>> Do you really have a lowercased realm?

> Yes.  No good?

Well, it does work, it's just interesting.  It's not really recommended,
and up until now I thought we were the only people who deployed one in
production.

It causes a few annoyances.  I wouldn't do it again.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
rra9 (667)
4/18/2007 9:12:37 PM
Jeff Blaine wrote:
> Jeffrey Altman wrote:
>   
>>> tkt=1 ses=1}, jblaine@rcf.foo.com for afs@rcf.foo.com
>>>       
>> Do you really have a lowercased realm?
>>     
>
> Yes.  No good?
>   
Not for the best. Active Directory assumes upper case everything for
example.

The FAQ at
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms says;

"The convention to use uppercase for realms names arose out of the
desire to easily distinguish between DNS domain names (which are
actually case-insensitive) and Kerberos realms. The Kerberos realm name
/is/ case sensitive (the realm foo.org is different than the realm
FOO.ORG). You are not required to have an uppercase Kerberos realm, but
I would strongly advise it.

It is worth noting that the recent revisions to the Kerberos standard
have specified that uppercase realm names are preferred and lowercase
realm names have been depreciated."

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
edward4662 (13)
4/18/2007 9:23:19 PM
Edward Murrell <edward@dlconsulting.com> writes:

> It is worth noting that the recent revisions to the Kerberos standard
> have specified that uppercase realm names are preferred and lowercase
> realm names have been depreciated."

Those of us with lowercase realm names have written off their full
purchase price on our taxes.  :)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
rra9 (667)
4/18/2007 9:50:54 PM
In article <87k5w9qtdm.fsf@windlord.stanford.edu>,
 rra@stanford.edu (Russ Allbery) wrote:

> Jeff Blaine <jblaine@kickflop.net> writes:
> > Jeffrey Altman wrote:
> 
> >> Do you really have a lowercased realm?
> 
> > Yes.  No good?
> 
> Well, it does work, it's just interesting.  It's not really recommended,
> and up until now I thought we were the only people who deployed one in
> production.
> 
> It causes a few annoyances.  I wouldn't do it again.

University of Washington.  Started out as a DCE cell, which
was never deployed but the krb5 realm inherited the name.

   Donn Cave, donn@u.washington.edu
0
Donn
4/18/2007 10:10:51 PM
Reply: