[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5 ticket forwarding

> Can anybody point me to what could be wrong ? Is this maybe an ssh problem ?

1. Check with klist -v that your tgt indeed is forwardable.

2. Test with telnet/telnetd if you get your ticket forwarded.
    telnet -F -l schwicke opteron005

> debug1: Kerberos v5 authentication accepted.
> debug1: Kerberos v5 TGT forwarding failed: KDC has no support for encryption 
> type
> debug1: Kerberos v4 TGT forwarded (schwicke@FZK.DE).
> debug1: AFS token for cell ka.fzk.de forwarded.

Hmmm. Ssh logs that it could not forward the v5 tickets, but it could forward
the v4 ticket and the AFS token.

> Jan 14 11:22:03 opteron005 sshd[10816]: pam_krb5afs: authenticate error: 
> Decrypt integrity check failed (-1765328353)

I'd blame pam.

> The libdefaults stanza in the kerberos config file looks like this:
> [libdefaults]
>         default_realm = FZK.DE
>         ticket_lifetime = 90000
>         default_etypes_des = des-cbc-crc 
>         renew_lifetime = 1209600
>         default_etypes = des-cbc-crc
>         forwardable = yes
>         krb4_get_tickets = yes

You may want the following, too:

	forward = yes
	forwardable = yes