Preauth and ticket forwarding

Rachel Elizabeth Dillon red at MIT.EDU
Tue Dec 7 16:33:06 EST 2004 

On Tue, Dec 07, 2004 at 12:53:25PM -0800, Donn Cave wrote:
> In case it may help, you can find more detail about the
> preauthentication failure in the syslog output from the KDC.
> The error message can be a little misleading - I believe
> "No such file or directory" really means that the key was
> wrong.  Other errors are "no valid preauth type", which
> I think may commonly be a Microsoft issue, and "Clock skew
> too great."  These messages appear on a separate line, so
> you have to locate the failure event in the log and then
> look for diagnostic messages on the line before.

See, I would expect that, but all I get is this for multiple 
login attempts:

Dec 07 13:12:45 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/IC.COM at IC.COM, Additional pre-authentication required
Dec 07 13:13:16 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/IC.COM at IC.COM, Additional pre-authentication required
Dec 07 13:14:03 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/IC.COM at IC.COM, Additional pre-authentication required
Dec 07 13:15:06 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/IC.COM at IC.COM, Additional pre-authentication required

And this is the same message I get with a successful kinit from
elsewhere in the system:

Dec 07 11:43:34 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.1.16.234: NEEDED_PREAUTH: ptadm
in at IC.COM for krbtgt/IC.COM at IC.COM, Additional pre-authentication required
Dec 07 11:43:36 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.1.16.234: ISSUE: authtime 11024
48616, etypes {rep=16 tkt=16 ses=16}, ptadmin at IC.COM for krbtgt/IC.COM at IC.COM

Thanks for the suggestion, though. I looked at some other log files but
I don't think the KDC is writing anywhere else; these lines are coming
from /var/krb5/kdc.log, as specified in /etc/krb5.conf.

-r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041207/79e4c281/attachment.bin

More information about the Kerberos mailing list