[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: krb5 ticket forwarding
> Can anybody point me to what could be wrong ? Is this maybe an ssh problem ?
1. Check with klist -v that your tgt indeed is forwardable.
2. Test with telnet/telnetd if you get your ticket forwarded.
telnet -F -l schwicke opteron005
> debug1: Kerberos v5 authentication accepted.
> debug1: Kerberos v5 TGT forwarding failed: KDC has no support for encryption
> debug1: Kerberos v4 TGT forwarded (schwicke@FZK.DE).
> debug1: AFS token for cell ka.fzk.de forwarded.
Hmmm. Ssh logs that it could not forward the v5 tickets, but it could forward
the v4 ticket and the AFS token.
> Jan 14 11:22:03 opteron005 sshd: pam_krb5afs: authenticate error:
> Decrypt integrity check failed (-1765328353)
I'd blame pam.
> The libdefaults stanza in the kerberos config file looks like this:
> default_realm = FZK.DE
> ticket_lifetime = 90000
> default_etypes_des = des-cbc-crc
> renew_lifetime = 1209600
> default_etypes = des-cbc-crc
> forwardable = yes
> krb4_get_tickets = yes
You may want the following, too:
forward = yes
forwardable = yes