I am not sure how to see that, but it was created in exactly the same way as the krbtest ID.
"Jeffrey Altman" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > What enctypes are supported for the principal > > [EMAIL PROTECTED] > > ?? > > > > Joe Bryant wrote: > > "Jeffrey Altman" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > >>What error messages do you receive in the KDC logs when you use the > >>upper cased name from the runas? > > > > > > With lowercase ID: > > > > May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3 > > 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: [EMAIL PROTECTED] > > for krbtgt/[EMAIL PROTECTED], Additional > > pre-authentication required > > May 11 09:12:44 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1}) > > 10.3.1.70(88): ISSUE: authtime 1084281164, etypes {rep=3 tkt=16 ses=1}, > > [EMAIL PROTECTED] for > > krbtgt/[EMAIL PROTECTED] > > May 11 09:12:44 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes {23 -133 -128 3 > > 1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1084281164, > > [EMAIL PROTECTED] for > > krbsvr400/[EMAIL PROTECTED], Server not found > > in Kerberos database > > > > With uppercase ID: > > > > May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (7 etypes {23 -133 -128 3 > > 1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: [EMAIL PROTECTED] > > for krbtgt/[EMAIL PROTECTED], Additional > > pre-authentication required > > May 11 09:14:00 SEC400 krb5kdc[208](info): preauth (timestamp) verify > > failure: No matching key in entry > > May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1}) > > 10.3.1.70(88): PREAUTH_FAILED: [EMAIL PROTECTED] for > > krbtgt/[EMAIL PROTECTED], Preauthentication > > failed > > May 11 09:14:00 SEC400 krb5kdc[208](info): no valid preauth type found: > > Success > > May 11 09:14:00 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1}) > > 10.3.1.70(88): PREAUTH_FAILED: [EMAIL PROTECTED] for > > krbtgt/[EMAIL PROTECTED], Preauthentication > > failed > > May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated > > (retransmitted?) request from 10.3.1.70 port 88, resending previous response > > May 11 09:14:00 SEC400 krb5kdc[208](info): DISPATCH: repeated > > (retransmitted?) request from 10.3.1.70 port 88, resending previous response > > > > > > > >>Did you reconfigure the Windows machine to authenticate to the Linux KDC > >>with KSETUP.EXE? > > > > > > Current ksetup (have tried others): > > > > Machine is not configured to log on to an external KDC. Probably a > > workgroup member > > ITC.RITEAID.COM: > > kdc = sy29.s390.riteaid.com > > Realm Flags = 0x0 none > > SEC400.ITC.RITEAID.COM: > > kdc = SEC400.ITC.RITEAID.COM > > Realm Flags = 0x0 none > > No user mappings defined. > > > > > > > >>Why do you need to use RUNAS at all? > > > > > > Runas is the only way we have seen to get tickets available to a program > > dynam, and since we have to launch a program based on WHO did the biometric > > scan, it was the only option we saw. Always open to others if you know any. > > > > > >>Jeffrey Altman > >> > >> > >>Joe Bryant wrote: > >> > >>>I am very new to Kerberos, and trying to do what seems a very complex > > > > task > > > >>>with it. We are a big mainframe 390/zOS shop, with AS/400's, and Windows > >>>clients. We currently have the zOS configured as a KDC, and can point a > >>>Windows box to it to get a TGT, then a service ticket, to access the > > > > AS/400 > > > >>>through the windows "runas" command, and all works well. Of course, that > > > > is > > > >>>not exactly what we NEED, so I have to add a Linux/KRB5 kdc, because we > > > > need > > > >>>to be able to force the passwords on the ID as part of a behind the > > > > scenes > > > >>>biometric solution. Now, with all that said, most is not important to my > >>>real problem. The issue is, when I point the windows box to my new kdc > > > > on > > > >>>Linux, I run into a couple of issues I do not really understand. > >>> > >>>First, we were using an upper case userid. When I create one in this > >>>configureation, I can get it from the windows box using leash32 to test, > > > > but > > > >>>it fails when using the runas. With all else the same, a lower case ID > > > > is > > > >>>successful at retreiving a TGT. > >>> > >>>Second, when I do get a TGT, and a second call is made to get the > > > > service > > > >>>ticket, I get at my server a messages: > >>> > >>>May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (7 etypes > > > > {23 -133 -128 3 > > > >>>1 24 -135}) 10.3.1.70(88): NEEDED_PREAUTH: > > > > [EMAIL PROTECTED] > > > >>>for krbtgt/[EMAIL PROTECTED], Additional > >>>pre-authentication required > >>>May 07 11:25:29 SEC400 krb5kdc[208](info): AS_REQ (2 etypes {3 1}) > >>>10.3.1.70(88): ISSUE: authtime 1083943529, etypes {rep=3 tkt=16 ses=1}, > >>>[EMAIL PROTECTED] for > >>>krbtgt/[EMAIL PROTECTED] > >>>May 07 11:25:29 SEC400 krb5kdc[208](info): TGS_REQ (7 etypes > > > > {23 -133 -128 3 > > > >>>1 24 -135}) 10.3.1.70(88): UNKNOWN_SERVER: authtime 1083943529, > >>>[EMAIL PROTECTED] for > >>>krbsvr400/[EMAIL PROTECTED], Server not > > > > found > > > >>>in Kerberos database > >>> > >>>I have tried every thing I could think of, but just can't seem to make > > > > any > > > >>>headway. Any advice from some of you long time KRB experts would be > > > > greatly > > > >>>appreciated. > >>> > >>>Joe Bryant > >>>Sr. Sys. Prog. > >>>Rite Aid Corp. > >>> > >>> > >> > >>-- > >>----------------- > >>This e-mail account is not read on a regular basis. > >>Please send private responses to jaltman at mit dot edu > > > > > > > > -- > ----------------- > This e-mail account is not read on a regular basis. > Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
