[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: import from kaserver: passwords work, keytabs don't

In message <5lemocih5e.fsf@assaris.sics.se>, Assar Westerlund writes:
| "Brandon S. Allbery" <allbery@ece.cmu.edu> writes:
| > (This first showed up when I added kadmin.hprop with kas and imported it,
| > instead of manually adding it to the KDC with kadmin -l.  I couldn't repeat
| > the hprop, "Additional pre-aithentication required".  The same error shows 
| up
| > when using a keytab to kinit.)
| What do you get in the log from your KDC?  Do you have enabled

"No PA-ENC-TIMESTAMP -- porok.ece.cmu.edu", the same error I got when porok 
didn't have hprop/porok.ece.cmu.edu in its keytab.  All entries were in the 
keytab, however, and the hprop/porok.ece.cmu.edu entry was imported from the 
kaserver's hprop.porok key in both successful and failing attempts.

| required pre-authentication on either kadmin.hprop or on the server?

No.  The only difference I could detect in a "get -l", aside from 
timestamps, between a key that worked and one that didn't was that the 
failing one (imported from the kaserver) was type "des" whereas the one that 
worked (created with kadmin -l) was type "des3".

brandon s. allbery	[os/2][linux][solaris][japh]	 allbery@kf8nh.apk.net
system administrator	     [WAY too many hats]	   allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			 KF8NH
     We are Linux. Resistance is an indication that you missed the point.