Jeff Blaine wrote:
> Jeffrey Altman wrote:
>> Jeff Blaine wrote:
>>> As always with things like this, it's hard to determine
>>> whether to send this here or to openafs-info.
>>>
>>> Can anyone tell me what is going on here? This is what
>>> krb5kdc logged when I logged into 129.83.11.213.
>>>
>>> -- sshd + UsePAM
>>> -- pam_krb5.so (RHELv4)
>>> -- pam_afs_session.so (PAM session module which uses aklog to
>>> get tokens from a K5 ticket).
>>>
>>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>>> etypes {3}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>>> [EMAIL PROTECTED] for afs/[EMAIL PROTECTED], Server not
>>> found in Kerberos database
>>>
>>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>>> etypes {1}) 129.83.11.213: UNKNOWN_SERVER: authtime 1176929167,
>>> [EMAIL PROTECTED] for afs/[EMAIL PROTECTED], Server not
>>> found in Kerberos database
>>>
>>> Apr 18 16:46:07 silmaril.foo.com krb5kdc[26891](info): TGS_REQ (1
>>> etypes {1}) 129.83.11.213: ISSUE: authtime 1176929167, etypes {rep=16
>>> tkt=1 ses=1}, [EMAIL PROTECTED] for [EMAIL PROTECTED]
>>
>> Do you really have a lowercased realm?
>
> Yes. No good?Its not recommended. From RFC 4120 Section 6.1 Realm Names: " Domain style realm names MUST look like domain names: they consist of components separated by periods (.) and they contain neither colons (:) nor slashes (/). Though domain names themselves are case insensitive, in order for realms to match, the case must match as well. When establishing a new realm name based on an internet domain name it is recommended by convention that the characters be converted to uppercase." Since your realm names are lowercase, the error messages above indicate that your KDC does not know of a principal called afs/[EMAIL PROTECTED] but does not of one called [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
