Update: Sumit, you were right - my problem was related to user password. To
be more precise, it wasn't wrong password, but probably some password's
properties/policy. After resetting password via IPA console this user is
able to login. I don't understand why.
But I'm really want to understand what caused to this problem and what is
explanation to this magic pam_ldap vs pam_lap+pam_krb5 difference.


On Wed, Jun 26, 2013 at 1:00 PM, Vitaly <li...@karasik.org> wrote:

> Well, probably I missed something...
> I see  very weird thing: when my system-auth pam config *contains* pm_krb5
> module before pam_ldap, use can login. When there is just pam_ldap, user
> cannot login.
> In assumption that we're able to use LDAP authentication, but some wrong
> with Kerberos, situation should be opposite, IMHO.
>
> Password is right. BTW, is there any way  (increase debug level?) to get
> more meaningful message?
>
>
>
>
> On Wed, Jun 26, 2013 at 12:39 PM, Sumit Bose <sb...@redhat.com> wrote:
>
>> On Wed, Jun 26, 2013 at 12:28:57PM +0300, Vitaly wrote:
>> > How I should debug & fix "Decrypt integrity check failed"  problem?
>>
>> This typically means wrong password.
>>
>> HTH
>>
>> bye,
>> Sumit
>> >
>> > TIA,
>> > Vitaly
>> >
>> >
>> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7748](info): AS_REQ (12
>> > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.99.21:
>> NEEDED_PREAUTH:
>> > usern...@prod.example.com for krbtgt/prod.example....@prod.example.com,
>> > Additional pre-authentication required
>> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7767](info): preauth
>> > (timestamp) verify failure: Decrypt integrity check failed
>> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7767](info): AS_REQ (12
>> > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.99.21:
>> PREAUTH_FAILED:
>> > usern...@prod.example.com for krbtgt/prod.example....@prod.example.com,
>> > Decrypt integrity check failed
>>
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to