cross realm trusts ..

Matt Bryant matthew.bryant at melbourneit.com.au
Thu Nov 28 00:09:41 EST 2013 

All,

Having an issue creating a cross realm trust between freeipa and a 
legacy krb5 realm. Have added the relevant one way trust principles to 
both KDCs and configured up and can see request being made to KDC but 
when trying to access a host from the new freeipa realm to kerberos 
realm .. its not working .. putting the sshd into debug am seeing

the server i am coming from .....
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 1205
debug1: Delegating credentials
debug3: Wrote 1328 bytes for a total of 2533
debug1: Delegating credentials
debug1: Unspecified GSS failure.  Minor code may provide more information
Generic error (see e-text)

debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 2629
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 2725
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 96 bytes for a total of 2821
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password

the server i am going to ...

debug3: mm_request_send entering: type 38
debug3: mm_request_receive entering
Postponed gssapi-with-mic for root from 203.147.190.30 port 42965 ssh2
debug3: mm_request_send entering: type 39
debug3: mm_request_receive_expect entering: type 40
debug3: mm_request_receive entering
debug3: monitor_read: checking request 39
debug1: Miscellaneous failure
ASN.1 identifier doesn't match expected value

debug1: Got no client credentials
debug3: mm_request_send entering: type 40
debug3: mm_request_receive entering
Failed gssapi-with-mic for root from 203.147.190.30 port 42965 ssh2
debug1: userauth-request for user root service ssh-connection method 
gssapi-with-mic
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for root from 203.147.190.30 port 42965 ssh2
debug1: userauth-request for user root service ssh-connection method 
gssapi-with-mic
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for root from 203.147.190.30 port 42965 ssh2
debug1: userauth-request for user root service ssh-connection method 
gssapi-with-mic
debug1: attempt 4 failures 4
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for root from 203.147.190.30 port 42965 ssh2
Connection closed by 203.147.190.30


How can i tell whats causing this ASN.1 error ????

rgds

Matt B.

More information about the Kerberos mailing list