password incorrect but it's not, works fine with Solaris + MIT?

Jeff Blaine jblaine at kickflop.net
Tue Dec 11 15:30:30 EST 2007


Thanks for the replies, Steve and Marcus.

I have no enctype settings specified in either my kdc.conf
or krb5.conf on the client(s) as I was under the impression
that was the best practice.

Steve, from what I understand, you did not require all users
to change passwords (re-key) in order for things to work,
correct?

I've tried adding explicit enctype settings in both kdc.conf
and krb5.conf (a list including the defaults according to
the MIT krb5 docs + des-cbc-crc:afs3) and that did not seem
to help any.

I also tested this on a RHELv4 box (instead of the RHELv3
box mentioned in the original message to the list) and got
the same error.

Jeff Blaine wrote:
> What am I doing wrong this time?
> 
>   -bash-2.05b# /usr/kerberos/bin/kinit jblaine at RCF.FOO.COM
>   Password for jblaine at RCF.FOO.COM:
>   kinit(v5): Password incorrect while getting initial credentials
>   -bash-2.05b#
> 
>   -bash-2.05b# rpm -qa | grep krb5
>   krb5-workstation-1.2.7-38
>   krb5-libs-1.2.7-38
>   pam_krb5-1.70-1
>   krb5-devel-1.2.7-38
>   -bash-2.05b# uname -a
>   Linux blackbird-vm2 2.4.21-53.EL #1 Wed Nov 14 04:02:23 EST 2007
>   i686 i686 i386 GNU/Linux
>   -bash-2.05b#
> 
> However, /usr/rcf-krb5/bin/kinit jblaine at RCF.FOO.COM works
> fine on a Solaris 9 box (which has our MIT krb5 build).
> 
> BOTH hosts have the same exact /etc/krb5.conf
> 
> krb5kdc says:
> 
>   Dec 07 15:46:49 silmaril.foo.com krb5kdc[26865](info):
>   AS_REQ (5 etypes {16 23 1 3 2}) 129.xx.xx.xx: ISSUE: authtime
>   1197060409, etypes {rep=1 tkt=16 ses=16}, jblaine at RCF.FOO.COM
>   for krbtgt/RCF.FOO.COM at RCF.FOO.COM
> 
> Principal looks like:
> 
>   kadmin:  getprinc jblaine
>   Principal: jblaine at RCF.FOO.COM
>   Expiration date: Wed Dec 30 19:00:00 EST 2037
>   Last password change: [never]
>   Password expiration date: [none]
>   Maximum ticket life: 14 days 00:00:00
>   Maximum renewable life: 7 days 00:00:00
>   Last modified: Mon Oct 29 21:08:00 EDT 2007 (jblaine at RCF.FOO.COM)
>   Last successful authentication: [never]
>   Last failed authentication: [never]
>   Failed password attempts: 0
>   Number of keys: 1
>   Key: vno 5, DES cbc mode with CRC-32, AFS version 3
>   Attributes:
>   Policy: [none]
>   kadmin:
> 
> 



More information about the Kerberos mailing list