password incorrect but it's not, works fine with Solaris + MIT?

Jeff Blaine jblaine at kickflop.net
Tue Dec 11 16:54:11 EST 2007 

I lied.  RHELv4 krb5 works fine.  Anyway, back to
RHELv3...

I updated the krb5 RPMs on the box which brought me to
a whopping -67 1.2.7 release.

   * No improvement.

I built MIT Kerberos 1.6 from scratch on the box.

   * kinit works fine for jblaine (des-cbc-crc:afs3)

Removed any enctype definitions from /etc/krb5.conf

   * kinit works fine for jblaine (des-cbc-crc:afs3)

Removed any enctype definitions from kdc.conf

   * kinit works fine for jblaine (des-cbc-crc:afs3)

So the obvious answer is to trash RHELv3 krb5
and build our own which is really frustrating.

Jeff Blaine wrote:
> Thanks for the replies, Steve and Marcus.
> 
> I have no enctype settings specified in either my kdc.conf
> or krb5.conf on the client(s) as I was under the impression
> that was the best practice.
> 
> Steve, from what I understand, you did not require all users
> to change passwords (re-key) in order for things to work,
> correct?
> 
> I've tried adding explicit enctype settings in both kdc.conf
> and krb5.conf (a list including the defaults according to
> the MIT krb5 docs + des-cbc-crc:afs3) and that did not seem
> to help any.
> 
> I also tested this on a RHELv4 box (instead of the RHELv3
> box mentioned in the original message to the list) and got
> the same error.
> 
> Jeff Blaine wrote:
>> What am I doing wrong this time?
>>
>>   -bash-2.05b# /usr/kerberos/bin/kinit jblaine at RCF.FOO.COM
>>   Password for jblaine at RCF.FOO.COM:
>>   kinit(v5): Password incorrect while getting initial credentials
>>   -bash-2.05b#
>>
>>   -bash-2.05b# rpm -qa | grep krb5
>>   krb5-workstation-1.2.7-38
>>   krb5-libs-1.2.7-38
>>   pam_krb5-1.70-1
>>   krb5-devel-1.2.7-38
>>   -bash-2.05b# uname -a
>>   Linux blackbird-vm2 2.4.21-53.EL #1 Wed Nov 14 04:02:23 EST 2007
>>   i686 i686 i386 GNU/Linux
>>   -bash-2.05b#
>>
>> However, /usr/rcf-krb5/bin/kinit jblaine at RCF.FOO.COM works
>> fine on a Solaris 9 box (which has our MIT krb5 build).
>>
>> BOTH hosts have the same exact /etc/krb5.conf
>>
>> krb5kdc says:
>>
>>   Dec 07 15:46:49 silmaril.foo.com krb5kdc[26865](info):
>>   AS_REQ (5 etypes {16 23 1 3 2}) 129.xx.xx.xx: ISSUE: authtime
>>   1197060409, etypes {rep=1 tkt=16 ses=16}, jblaine at RCF.FOO.COM
>>   for krbtgt/RCF.FOO.COM at RCF.FOO.COM
>>
>> Principal looks like:
>>
>>   kadmin:  getprinc jblaine
>>   Principal: jblaine at RCF.FOO.COM
>>   Expiration date: Wed Dec 30 19:00:00 EST 2037
>>   Last password change: [never]
>>   Password expiration date: [none]
>>   Maximum ticket life: 14 days 00:00:00
>>   Maximum renewable life: 7 days 00:00:00
>>   Last modified: Mon Oct 29 21:08:00 EDT 2007 (jblaine at RCF.FOO.COM)
>>   Last successful authentication: [never]
>>   Last failed authentication: [never]
>>   Failed password attempts: 0
>>   Number of keys: 1
>>   Key: vno 5, DES cbc mode with CRC-32, AFS version 3
>>   Attributes:
>>   Policy: [none]
>>   kadmin:
>>
>>
>

More information about the Kerberos mailing list