Error configuring Kerberos and OpenDS
Tiago Elvas
tiagoelvas at gmail.com
Thu Feb 23 04:34:26 EST 2012
I have followed that tutorial to setup my machine without success, that's
when I wrote to this list initially.
As for the "Decrypt integrity check failed", I can do a kinit and
successfully receive a ticket. Eventually, what's failing could be that the
password is being encrypted in the client machine and then not successfully
decrypted on the server side, I don't really know..
As for the password itself I am sure it is being typed correctly :)
I still don't understand what is this pre-authentication, how it is
performed and how/when it is being used or checked. Could you clarify this?
Thanks once again,
Tiago
On Wed, Feb 22, 2012 at 8:44 PM, Mantas M. <grawity at gmail.com> wrote:
> On Wed, Feb 22, 2012 at 08:41:15PM +0100, Tiago Elvas wrote:
> > Thanks for the tip.
> >
> > I know have the following error:
> >
> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
> > 16 17}) 172.23.14.210: NEEDED_PREAUTH: kerberos-test at MYDOMAIN.COM for
> > krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): preauth (timestamp)
> verify
> > failure: Decrypt integrity check failed
> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 23
> > 16 17}) 172.23.14.210: PREAUTH_FAILED: kerberos-test at MYDOMAIN.COM for
> > krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Decrypt integrity check failed
> >
> > Any clue on what's failing?
>
> "Decrypt integrity check failed" almost always means "the password given
> to `kinit` was incorrect".
>
> > Another question, how should I configure openDS access control to accept
> > GSSAPI with kerberos tickets?
>
> I believe this is already documented at <
> https://www.opends.org/wiki/page/GSSAPIConfiguration>.
>
> --
> Mantas M.
>
More information about the Kerberos
mailing list