[OpenAFS] kerberos problems

Douglas E. Engert deengert@anl.gov
Mon, 02 Jun 2003 10:59:30 -0500


You need to add the host principal. host/bishop.dhs.org@BISHOP.DHS.ORG 
This should be well covered by the Kerberos instructions.
I would suggest that you use the kerberos@mit.edu mail list, not AFS. 


David Bishop wrote:
> 
> On Monday 02 June 2003 08:49 am, Douglas E. Engert wrote:
> > Its trying to do cross realm, from BISHOP.DHS.ORG to DHS.ORG
> > It is assuming the sshd server bishop.dhs.org is in realm DHS.ORG
> >
> > Add a [domain_realm] section to the krb5.conf with
> >
> >   .dhs.org = BISHOP.DHS.ORG
> 
> That fixed that problem (and many thanks for your quick response!).  However,
> now it complains with the following:
> 
> Jun 02 08:52:51 bishop krb5kdc[8989](info): TGS_REQ (3 etypes {16 1 3})
> 192.168.0.2(16416): UNKNOWN_SERVER: authtime 1054564142,
> david@BISHOP.DHS.ORG for host/bishop.dhs.org@BISHOP.DHS.ORG, Server not found
> in Kerberos database
> 
> [ david@bishop ] $ sudo /usr/sbin/kadmin.local
> Authenticating as principal david/admin@BISHOP.DHS.ORG with password.
> kadmin.local:  getprincs
> DHS.ORG@BISHOP.DHS.ORG  <-added in attempt to fix previous problem

NO!

> K/M@BISHOP.DHS.ORG
> afs@BISHOP.DHS.ORG
> david/admin@BISHOP.DHS.ORG
> david@BISHOP.DHS.ORG
> kadmin/admin@BISHOP.DHS.ORG
> kadmin/changepw@BISHOP.DHS.ORG
> kadmin/history@BISHOP.DHS.ORG
> krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
> kadmin.local:
> 
> Is there any other command I should run to give more info?
> 
> --
> "Sorry about the whole 'bomb' thing" - Bruce Rollins
> D.A.Bishop
> 
>   --------------------------------------------------------------------------------------------
> 
>    Part 1.2       Type: application/pgp-signature
>            Description: signature

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444