kpasswd responds with Server error: Failed decrypting request

drjlove@gmail.com drjlove at gmail.com
Mon Sep 24 02:17:48 EDT 2007 

Hi all,

I am unable to use kpasswd to change a kerberos principle's password.

For the first time I'm setting up a LDAP+Kerberos system. I have set
everything up on a single (linux/Fedora) machine with openldap and the
MIT (I believe) KRB5 packages.

I have set up the system hosting kerberos/ldap such that as a unix
user listed in /etc/passwd I can log into the machine, and be also
authenticated to kerberos, and such that 'ldapwhoami' also works.
Kerberos is doing the authentication (in my shadow password file I
have *K* in the password field, so I know I'm not getting in by the
standard unix access).

When I log in to the machine I can do the following:

$ ssh 10.0.1.102
jamie at 10.0.1.102's password:
Last login: Mon Sep 24 15:30:53 2007 from 10.8.0.6
[jamiel at janeiro ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_505_d6jBsX
Default principal: jamie at aviarc.com.au

Valid starting     Expires            Service principal
09/24/07 16:07:17  09/25/07 02:07:17  krbtgt/example.com at example.com
        renew until 09/24/07 16:07:17

Kerberos 4 ticket cache: /tmp/tkt505
klist: You have no tickets cached
[jamie at janeiro ~]$ ldapwhoami -h janeiro
SASL/GSSAPI authentication started
SASL username: jamie at aviarc.com.au
SASL SSF: 56
SASL installing layers
dn:uid=jamie,ou=people,dc=example,dc=com
Result: Success (0)
[jamie at janeiro ~]$

I can do a ldapsearch and see all the data in the ldap directory (as
an aside, ldap commands require the -h option for the host for some
reason but I assume that is an ldap, not a kerberos problem)

So I'm quite happy with this, but I want to change my password, so I
do:

[jamie at janeiro ~]$ kpasswd
Password for jamie at example.com
Enter new password:
Enter it again:
Server error: Failed decrypting request
[jamie at janeiro ~]$


This is my problem. I have no idea why this error occurs. The log
says:

Sep 24 16:11:07 janeiro.example.com krb5kdc[7796](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.0.1.102: ISSUE: authtime 1190614267,
etypes {rep=16 tkt=16 ses=16}, jamie at example.com for kadmin/
changepw at example.com
Sep 24 16:11:07 janeiro.example.com krb5kdc[7796](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 10.0.1.102: ISSUE: authtime 1190614267,
etypes {rep=16 tkt=16 ses=16}, jamie at example.com for kadmin/
changepw at example.com

(there are two lines in the log file).

My principles in kerberos are:

kadmin:  listprincs
K/M at example.com
jamie/admin at example.com
jamie at example.com
kadmin/admin at example.com
kadmin/changepw at example.com
kadmin/history at example.com
kadmin/janeiro.example.com at example.com
krbtgt/example.com at example.com
ldap/janeiro.example.com at example.com

Using kadmin (or kadmin.local) I can change the password for
principles.

Does anyone have any ideas?

More information about the Kerberos mailing list