Error configuring Kerberos and OpenDS
Tiago Elvas
tiagoelvas at gmail.com
Wed Mar 14 15:21:19 EDT 2012
So, I have been able to solve the pre auth problem but, a new one came
up...!
I log in as kerberos-test in the machine, I get the ticket correctly and I
am able to query the ldap database with ldapsearch.
However, when I log in as kerberos-test2 and perform the same query, I get
this error:
krb5kdc[3560](info): preauth (timestamp) verify failure: Decrypt integrity
> check failed
So the thing is: with "kerberos-test" user I have a correct
pre-authentication, but with "kerberos-test2" (or any other user btw) no.
What is causing this difference?
Best regards,
Tiago
On Thu, Feb 23, 2012 at 10:34 AM, Tiago Elvas <tiagoelvas at gmail.com> wrote:
> I have followed that tutorial to setup my machine without success, that's
> when I wrote to this list initially.
>
> As for the "Decrypt integrity check failed", I can do a kinit and
> successfully receive a ticket. Eventually, what's failing could be that the
> password is being encrypted in the client machine and then not successfully
> decrypted on the server side, I don't really know..
>
> As for the password itself I am sure it is being typed correctly :)
>
>
> I still don't understand what is this pre-authentication, how it is
> performed and how/when it is being used or checked. Could you clarify this?
>
> Thanks once again,
>
> Tiago
>
>
> On Wed, Feb 22, 2012 at 8:44 PM, Mantas M. <grawity at gmail.com> wrote:
>
>> On Wed, Feb 22, 2012 at 08:41:15PM +0100, Tiago Elvas wrote:
>> > Thanks for the tip.
>> >
>> > I know have the following error:
>> >
>> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1
>> 23
>> > 16 17}) 172.23.14.210: NEEDED_PREAUTH: kerberos-test at MYDOMAIN.COM for
>> > krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication
>> required
>> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): preauth (timestamp)
>> verify
>> > failure: Decrypt integrity check failed
>> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1
>> 23
>> > 16 17}) 172.23.14.210: PREAUTH_FAILED: kerberos-test at MYDOMAIN.COM for
>> > krbtgt/MYDOMAIN.COM at MYDOMAIN.COM, Decrypt integrity check failed
>> >
>> > Any clue on what's failing?
>>
>> "Decrypt integrity check failed" almost always means "the password given
>> to `kinit` was incorrect".
>>
>> > Another question, how should I configure openDS access control to accept
>> > GSSAPI with kerberos tickets?
>>
>> I believe this is already documented at <
>> https://www.opends.org/wiki/page/GSSAPIConfiguration>.
>>
>> --
>> Mantas M.
>>
>
>
More information about the Kerberos
mailing list