password incorrect but it's not, works fine with Solaris + MIT?
Jeff Blaine
jblaine at kickflop.net
Tue Dec 11 15:30:30 EST 2007
Thanks for the replies, Steve and Marcus.
I have no enctype settings specified in either my kdc.conf
or krb5.conf on the client(s) as I was under the impression
that was the best practice.
Steve, from what I understand, you did not require all users
to change passwords (re-key) in order for things to work,
correct?
I've tried adding explicit enctype settings in both kdc.conf
and krb5.conf (a list including the defaults according to
the MIT krb5 docs + des-cbc-crc:afs3) and that did not seem
to help any.
I also tested this on a RHELv4 box (instead of the RHELv3
box mentioned in the original message to the list) and got
the same error.
Jeff Blaine wrote:
> What am I doing wrong this time?
>
> -bash-2.05b# /usr/kerberos/bin/kinit jblaine at RCF.FOO.COM
> Password for jblaine at RCF.FOO.COM:
> kinit(v5): Password incorrect while getting initial credentials
> -bash-2.05b#
>
> -bash-2.05b# rpm -qa | grep krb5
> krb5-workstation-1.2.7-38
> krb5-libs-1.2.7-38
> pam_krb5-1.70-1
> krb5-devel-1.2.7-38
> -bash-2.05b# uname -a
> Linux blackbird-vm2 2.4.21-53.EL #1 Wed Nov 14 04:02:23 EST 2007
> i686 i686 i386 GNU/Linux
> -bash-2.05b#
>
> However, /usr/rcf-krb5/bin/kinit jblaine at RCF.FOO.COM works
> fine on a Solaris 9 box (which has our MIT krb5 build).
>
> BOTH hosts have the same exact /etc/krb5.conf
>
> krb5kdc says:
>
> Dec 07 15:46:49 silmaril.foo.com krb5kdc[26865](info):
> AS_REQ (5 etypes {16 23 1 3 2}) 129.xx.xx.xx: ISSUE: authtime
> 1197060409, etypes {rep=1 tkt=16 ses=16}, jblaine at RCF.FOO.COM
> for krbtgt/RCF.FOO.COM at RCF.FOO.COM
>
> Principal looks like:
>
> kadmin: getprinc jblaine
> Principal: jblaine at RCF.FOO.COM
> Expiration date: Wed Dec 30 19:00:00 EST 2037
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 14 days 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Mon Oct 29 21:08:00 EDT 2007 (jblaine at RCF.FOO.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 5, DES cbc mode with CRC-32, AFS version 3
> Attributes:
> Policy: [none]
> kadmin:
>
>
More information about the Kerberos
mailing list