password incorrect but it's not, works fine with Solaris + MIT?

Steve Devine devine.steve at gmail.com
Sat Dec 8 07:35:25 EST 2007


On Dec 7, 3:59 pm, Jeff Blaine <jbla... at kickflop.net> wrote:
> What am I doing wrong this time?
>
>    -bash-2.05b# /usr/kerberos/bin/kinit jbla... at RCF.FOO.COM
>    Password for jbla... at RCF.FOO.COM:
>    kinit(v5): Password incorrect while getting initial credentials
>    -bash-2.05b#
>
>    -bash-2.05b# rpm -qa | grep krb5
>    krb5-workstation-1.2.7-38
>    krb5-libs-1.2.7-38
>    pam_krb5-1.70-1
>    krb5-devel-1.2.7-38
>    -bash-2.05b# uname -a
>    Linux blackbird-vm2 2.4.21-53.EL #1 Wed Nov 14 04:02:23 EST 2007
>    i686 i686 i386 GNU/Linux
>    -bash-2.05b#
>
> However, /usr/rcf-krb5/bin/kinit jbla... at RCF.FOO.COM works
> fine on a Solaris 9 box (which has our MIT krb5 build).
>
> BOTH hosts have the same exact /etc/krb5.conf
>
> krb5kdc says:
>
>    Dec 07 15:46:49 silmaril.foo.com krb5kdc[26865](info):
>    AS_REQ (5 etypes {16 23 1 3 2}) 129.xx.xx.xx: ISSUE: authtime
>    1197060409, etypes {rep=1 tkt=16 ses=16}, jbla... at RCF.FOO.COM
>    for krbtgt/RCF.FOO.... at RCF.FOO.COM
>
> Principal looks like:
>
>    kadmin:  getprinc jblaine
>    Principal: jbla... at RCF.FOO.COM
>    Expiration date: Wed Dec 30 19:00:00 EST 2037
>    Last password change: [never]
>    Password expiration date: [none]
>    Maximum ticket life: 14 days 00:00:00
>    Maximum renewable life: 7 days 00:00:00
>    Last modified: Mon Oct 29 21:08:00 EDT 2007 (jbla... at RCF.FOO.COM)
>    Last successful authentication: [never]
>    Last failed authentication: [never]
>    Failed password attempts: 0
>    Number of keys: 1
>    Key: vno 5, DES cbc mode with CRC-32, AFS version 3
>    Attributes:
>    Policy: [none]
>    kadmin:

Does your client talk in single des? Maybe if you force your enctype
in krb5.conf on the client    (Although I dont think this is
recommended. )
What enctypes do you have in the kdc.conf? You might add some enctypes
to your kdc .. then reset the password and try again.



More information about the Kerberos mailing list