Error configuring Kerberos and OpenDS

Mantas M. grawity at gmail.com
Wed Feb 22 14:44:03 EST 2012


On Wed, Feb 22, 2012 at 08:41:15PM +0100, Tiago Elvas wrote:
> Thanks for the tip.
> 
> I know have the following error:
> 
> Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
> 16 17}) 172.23.14.210: NEEDED_PREAUTH: kerberos-test at MYDOMAIN.COM for
> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
> Feb 22 20:39:37 ldapserver krb5kdc[10211](info): preauth (timestamp) verify
> failure: Decrypt integrity check failed
> Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
> 16 17}) 172.23.14.210: PREAUTH_FAILED: kerberos-test at MYDOMAIN.COM for
> krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Decrypt integrity check failed
> 
> Any clue on what's failing?

"Decrypt integrity check failed" almost always means "the password given to `kinit` was incorrect".

> Another question, how should I configure openDS access control to accept
> GSSAPI with kerberos tickets?

I believe this is already documented at <https://www.opends.org/wiki/page/GSSAPIConfiguration>.

-- 
Mantas M.


More information about the Kerberos mailing list