Error configuring Kerberos and OpenDS
Tiago Elvas
tiagoelvas at gmail.com
Wed Feb 22 14:41:15 EST 2012
Thanks for the tip.
I know have the following error:
Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: NEEDED_PREAUTH: kerberos-test at MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
Feb 22 20:39:37 ldapserver krb5kdc[10211](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
16 17}) 172.23.14.210: PREAUTH_FAILED: kerberos-test at MYDOMAIN.COM for
krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Decrypt integrity check failed
Any clue on what's failing?
Another question, how should I configure openDS access control to accept
GSSAPI with kerberos tickets?
Thanks in advance
On Tue, Feb 21, 2012 at 5:28 PM, Mantas M. <grawity at gmail.com> wrote:
> On Tue, Feb 21, 2012 at 11:23:04AM +0100, Tiago Elvas wrote:
> > NO PREAUTH: authtime 0, kerberos-test at MYDOMAIN.COM for
> > ldap/ldapserver.mydomain.com at MYDOMAIN.COM, Generic error (see e-text)
>
> A common case for this is that the 'kerberos-test at MYDOMAIN.COM' principal
> is missing the "requires_preauth" flag, causing the TGT & tickets to be
> obtained without preauth, which the LDAP server requires.
>
> kadmin: modprinc +requires_preauth kerberos-test
>
> Although the 'kdc.conf' given in an earlier message /does/ have this in
> 'default_principal_flags'...
>
> --
> Mantas Mikulėnas <grawity at gmail.com>
>
More information about the Kerberos
mailing list