Trouble with authentication.

Matthijs Mohlmann matthijs at active2.homelinux.org
Sun Jun 22 04:43:01 EDT 2003 

Hello,

I am setting up a KerberosV server for the first time. I am using Debian
and i've downloaded the source from the unstable. Here are the commands
i used to setup my KerberosV server.

First create a database:
kdb5_util create -r ACTIVE2.HOMELINUX.ORG -s

echo "*/admin at ACTIVE2.HOMELINUX.ORG *" > /etc/krb5kdc/kadm5.acl

Then i create the principal root/admin at ACTIVE2.HOMELINUX.ORG with the
kadmin.local binary.

Then i create the keytab for the kadmind service.
ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw

Then starting the servers. And all works perfectly.

Then i add all my hosts to the kerberos server:
addprinc -randkey host/tux.active2.homelinux.org

I have 5 hosts for learning KerberosV.

Then i made a policy for my users:
addpol -maxlife "1 year" -minlife "6 months" -minlength 4 -minclasses 1
-history 3 insecure

And then adding a user:
addprinc -policy insecure +requires_preauth +allow_forwardable
matthijs at ACTIVE2.HOMELINUX.ORG

And if i get a client and i do so:
$ kinit
Password for matthijs at ACTIVE2.HOMELINUX.ORG:
$ 

All is oke but after a couple of hours (mostly 3 a 4 hours)
$ kinit
Password for matthijs at ACTIVE2.HOMELINUX.ORG:
kinit(v5): Password incorrect while getting initial credentials
$ 

hmm.. password incorrect.
i'm using that password for several accounts and now that password is
incorrect.. little confused

The log on the server:
Jun 22 10:33:04 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: NEEDED_PREAUTH: matthijs at ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Additional
pre-authentication required
Jun 22 10:33:07 Server krb5kdc[202](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: PREAUTH_FAILED: matthijs at ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Decrypt integrity
check failed
Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: NEEDED_PREAUTH: matthijs at ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Additional
pre-authentication required
Jun 22 10:33:07 Server krb5kdc[202](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: PREAUTH_FAILED: matthijs at ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Decrypt integrity
check failed

Here i see my timestamp is not oke. But i have run: 
ntpdate fistix.xs4all.nl
on all my machines.

This is almost the newest version on my server. On my clients i have the
same version.

Now i'm using the version: 1.2.99-1.3.beta3-4 (Debian version)

My server is going off every evening and comes up every morning. Because
the energy bill. My router is running every day and is running OpenBSD
3.3 that have the Heimdal implementation of kerberosV.

Maybe i do something wrong.

I'm now a little confused.

More information about the Kerberos mailing list