Trouble with authentication.

[Tom Yu]

>>>>> "matthijs" == Matthijs Mohlmann <matthijs at active2.homelinux.org> writes:

matthijs> And if i get a client and i do so:
matthijs> $ kinit
matthijs> Password for matthijs at ACTIVE2.HOMELINUX.ORG:
matthijs> $ 

matthijs> All is oke but after a couple of hours (mostly 3 a 4 hours)
matthijs> $ kinit
matthijs> Password for matthijs at ACTIVE2.HOMELINUX.ORG:
matthijs> kinit(v5): Password incorrect while getting initial credentials
matthijs> $ 

matthijs> hmm.. password incorrect.  i'm using that password for
matthijs> several accounts and now that password is incorrect.. little
matthijs> confused

Are you sure that you're typing the password correctly?  Or does the
problem reliably go away when your clocks are properly synchronized?
Is it possible that the password for that account has changed without
your realizing it?

matthijs> The log on the server:
matthijs> Jun 22 10:33:04 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
matthijs> 192.168.0.2: NEEDED_PREAUTH: matthijs at ACTIVE2.HOMELINUX.ORG for
matthijs> krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Additional
matthijs> pre-authentication required
matthijs> Jun 22 10:33:07 Server krb5kdc[202](info): preauth (timestamp) verify
matthijs> failure: Decrypt integrity check failed
matthijs> Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
matthijs> 192.168.0.2: PREAUTH_FAILED: matthijs at ACTIVE2.HOMELINUX.ORG for
matthijs> krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Decrypt integrity
matthijs> check failed
matthijs> Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
matthijs> 192.168.0.2: NEEDED_PREAUTH: matthijs at ACTIVE2.HOMELINUX.ORG for
matthijs> krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Additional
matthijs> pre-authentication required
matthijs> Jun 22 10:33:07 Server krb5kdc[202](info): preauth (timestamp) verify
matthijs> failure: Decrypt integrity check failed
matthijs> Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
matthijs> 192.168.0.2: PREAUTH_FAILED: matthijs at ACTIVE2.HOMELINUX.ORG for
matthijs> krbtgt/ACTIVE2.HOMELINUX.ORG at ACTIVE2.HOMELINUX.ORG, Decrypt integrity
matthijs> check failed

matthijs> Here i see my timestamp is not oke. But i have run: 
matthijs> ntpdate fistix.xs4all.nl
matthijs> on all my machines.

The KDCs of the krb5-1.3 beta releases should explicitly log when the
timestamp is incorrect, versus when the password is incorrect.  If it
is giving a "decrypt integrity check failed" error when it gets the
correct password but an incorrect timestamp, this is a bug.

matthijs> This is almost the newest version on my server. On my
matthijs> clients i have the same version.

matthijs> Now i'm using the version: 1.2.99-1.3.beta3-4 (Debian version)

Is your KDC running 1.3-beta3?  Or is it only your client machines
from which you attempted kinit?

matthijs> My server is going off every evening and comes up every
matthijs> morning. Because the energy bill. My router is running every
matthijs> day and is running OpenBSD 3.3 that have the Heimdal
matthijs> implementation of kerberosV.

matthijs> Maybe i do something wrong.

matthijs> I'm now a little confused.

So am I.  You shouldn't be seeing "decrypt integrity check failed"
from a 1.3-beta release's KDC unless it actually failed to decrypt the
encrypted timestamp.  I just did a quick check and the KDC does log
clock skew errors properly.

---Tom