kpasswd responds with Server error: Failed decrypting request

Michael Calmer mc at suse.de
Mon Sep 24 03:48:08 EDT 2007


Hi,

Your problem may be IPv6. I saw the same. 

See also http://krbdev.mit.edu/rt/Ticket/Display.html?id=5595

Am Montag, 24. September 2007 schrieb drjlove at gmail.com:
> Hi all,
>
> I am unable to use kpasswd to change a kerberos principle's password.
>
> For the first time I'm setting up a LDAP+Kerberos system. I have set
> everything up on a single (linux/Fedora) machine with openldap and the
> MIT (I believe) KRB5 packages.
>
> I have set up the system hosting kerberos/ldap such that as a unix
> user listed in /etc/passwd I can log into the machine, and be also
> authenticated to kerberos, and such that 'ldapwhoami' also works.
> Kerberos is doing the authentication (in my shadow password file I
> have *K* in the password field, so I know I'm not getting in by the
> standard unix access).
>
> When I log in to the machine I can do the following:
>
> $ ssh 10.0.1.102
> jamie at 10.0.1.102's password:
> Last login: Mon Sep 24 15:30:53 2007 from 10.8.0.6
> [jamiel at janeiro ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_505_d6jBsX
> Default principal: jamie at aviarc.com.au
>
> Valid starting     Expires            Service principal
> 09/24/07 16:07:17  09/25/07 02:07:17  krbtgt/example.com at example.com
>         renew until 09/24/07 16:07:17
>
> Kerberos 4 ticket cache: /tmp/tkt505
> klist: You have no tickets cached
> [jamie at janeiro ~]$ ldapwhoami -h janeiro
> SASL/GSSAPI authentication started
> SASL username: jamie at aviarc.com.au
> SASL SSF: 56
> SASL installing layers
> dn:uid=jamie,ou=people,dc=example,dc=com
> Result: Success (0)
> [jamie at janeiro ~]$
>
> I can do a ldapsearch and see all the data in the ldap directory (as
> an aside, ldap commands require the -h option for the host for some
> reason but I assume that is an ldap, not a kerberos problem)
>
> So I'm quite happy with this, but I want to change my password, so I
> do:
>
> [jamie at janeiro ~]$ kpasswd
> Password for jamie at example.com
> Enter new password:
> Enter it again:
> Server error: Failed decrypting request
> [jamie at janeiro ~]$
>
>
> This is my problem. I have no idea why this error occurs. The log
> says:
>
> Sep 24 16:11:07 janeiro.example.com krb5kdc[7796](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.0.1.102: ISSUE: authtime 1190614267,
> etypes {rep=16 tkt=16 ses=16}, jamie at example.com for kadmin/
> changepw at example.com
> Sep 24 16:11:07 janeiro.example.com krb5kdc[7796](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 10.0.1.102: ISSUE: authtime 1190614267,
> etypes {rep=16 tkt=16 ses=16}, jamie at example.com for kadmin/
> changepw at example.com
>
> (there are two lines in the log file).
>
> My principles in kerberos are:
>
> kadmin:  listprincs
> K/M at example.com
> jamie/admin at example.com
> jamie at example.com
> kadmin/admin at example.com
> kadmin/changepw at example.com
> kadmin/history at example.com
> kadmin/janeiro.example.com at example.com
> krbtgt/example.com at example.com
> ldap/janeiro.example.com at example.com
>
> Using kadmin (or kadmin.local) I can change the password for
> principles.
>
> Does anyone have any ideas?
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



-- 
MFG

	Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - e-mail: Michael.Calmer at suse.com
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)




More information about the Kerberos mailing list