Error configuring Kerberos and OpenDS

Tiago Elvas tiagoelvas at gmail.com
Wed Feb 22 14:41:15 EST 2012


Thanks for the tip.

I know have the following error:

Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: NEEDED_PREAUTH: kerberos-test at MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
Feb 22 20:39:37 ldapserver krb5kdc[10211](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: PREAUTH_FAILED: kerberos-test at MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Decrypt integrity check failed

Any clue on what's failing?

Another question, how should I configure openDS access control to accept
GSSAPI with kerberos tickets?

Thanks in advance



On Tue, Feb 21, 2012 at 5:28 PM, Mantas M. <grawity at gmail.com> wrote:

> On Tue, Feb 21, 2012 at 11:23:04AM +0100, Tiago Elvas wrote:
> > NO PREAUTH: authtime 0,  kerberos-test at MYDOMAIN.COM for
> > ldap/ldapserver.mydomain.com at MYDOMAIN.COM, Generic error (see e-text)
>
> A common case for this is that the 'kerberos-test at MYDOMAIN.COM' principal
> is missing the "requires_preauth" flag, causing the TGT & tickets to be
> obtained without preauth, which the LDAP server requires.
>
> kadmin:  modprinc +requires_preauth kerberos-test
>
> Although the 'kdc.conf' given in an earlier message /does/ have this in
> 'default_principal_flags'...
>
> --
> Mantas Mikulėnas <grawity at gmail.com>
>


More information about the Kerberos mailing list