[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: krb5 ticket forwarding

To: ulrich.schwickerath@web.de
Subject: Re: krb5 ticket forwarding
From: Harald Barth <haba@pdc.kth.se>
Date: Fri, 14 Jan 2005 18:29:21 +0100 (MET)
Cc: heimdal-discuss@sics.se
In-Reply-To: <200501141136.04610.Ulrich.Schwickerath@web.de>
References: <200501141136.04610.Ulrich.Schwickerath@web.de>
Sender: owner-heimdal-discuss@sics.se


> Can anybody point me to what could be wrong ? Is this maybe an ssh problem ?

1. Check with klist -v that your tgt indeed is forwardable.

2. Test with telnet/telnetd if you get your ticket forwarded.
    telnet -F -l schwicke opteron005

> debug1: Kerberos v5 authentication accepted.
> debug1: Kerberos v5 TGT forwarding failed: KDC has no support for encryption 
> type
> debug1: Kerberos v4 TGT forwarded (schwicke@FZK.DE).
> debug1: AFS token for cell ka.fzk.de forwarded.

Hmmm. Ssh logs that it could not forward the v5 tickets, but it could forward
the v4 ticket and the AFS token.

> Jan 14 11:22:03 opteron005 sshd[10816]: pam_krb5afs: authenticate error: 
> Decrypt integrity check failed (-1765328353)

I'd blame pam.

> The libdefaults stanza in the kerberos config file looks like this:
> [libdefaults]
>         default_realm = FZK.DE
>         ticket_lifetime = 90000
>         default_etypes_des = des-cbc-crc 
>         renew_lifetime = 1209600
>         default_etypes = des-cbc-crc
>         forwardable = yes
>         krb4_get_tickets = yes

You may want the following, too:

[appdefaults]
	forward = yes
	forwardable = yes

Harald.




> 
>

References:
- krb5 ticket forwarding
  - From: Ulrich Schwickerath <Ulrich.Schwickerath@web.de>

Prev by Date: krb5 ticket forwarding
Next by Date: kadmin doesn't bind to OpenLDAP
Prev by thread: krb5 ticket forwarding
Next by thread: kadmin doesn't bind to OpenLDAP
Index(es):
- Date
- Thread