[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb4 access with heimdal + kpasswd problem

torbjorn.lindh@allgon.se writes:
> I have switched from kth-krb to heimdal and it works nicely except for
> krb4-clients (such as Ktelnet or /usr/athena/telnet). What I get is:
> [ Trying mutual KERBEROS4 ... ]
> [ Kerberos V4 refuses authentication because Can't decode authenticator
> (krb_rd_req) ]
> [ Trying KERBEROS4 ... ]
> [ Kerberos V4 refuses authentication because Can't decode authenticator
> (krb_rd_req) ]

On Wed, 14 Jun 2000, Assar Westerlund wrote:

Assar> This error indicates that the server did not manage to decode the
Assar> ticket properly.  Can you run `klist -v' on your client and `ksrvutil
Assar> list' on your machine running telnetd and make sure they have the same
Assar> version number for the `rcmd.hostname' key?
Assar> BTW, this error should not have anything to do with krb5.  The telnet
Assar> code is the same in both cases and since it says KERBEROS4, it's using
Assar> the v4 authentication stuff in telnet, and actually the krb4 libraries
Assar> too.

Thank you for the hint! The version numbers were different. After some
"work" I realised that what I could do was:

client# rm /etc/srvtab
client# ktutil key2srvtab

I tried converting the krb4-database, but I don't quite understand
what principal to add to make hprop happy. kadmin/hprop/foo.se??
Fortunately I did not too many users/stations:-)

> Another problem is that kpasswd does not work with my heimdal setup.
> strace:in kpasswd made me believe that it tries to look up SRV-records for
> kpasswd.upd so I added them.

Assar> Can you show us the SRV record you added?

_kpasswd._udp.ALLGON.SE.  1H IN SRV  0 0 464 kerberos.allgon.se.

> Still the same problem:
> $ kpasswd
> toobii@ALLGON.SE's Password: 
> New password: 
> Verifying password - New password: 
> kpasswd: krb5_change_password: Unknown error 4294967288
> $ 

Assar> Can you try adding this to your /etc/krb5.conf?
Assar> ALLGON.SE = {
Assar>         admin_server = udp/kerberos.allgon.se
Assar> };

Tried that (under realm). Still the same problem.