Oops, I was able to reproduce this again. The problem is that the clock on your KDC is slightly ahead of the client's clock. Try to run ntp on it.
The details are that shishi send an AS-REQ, and receive a ticket that isn't valid yet, and the logic then becomes confused and send a TGS-REQ, which for some reason doesn't succeed. Perhaps heimdal checks whether the client's time is within the ticket lifetime, which it wouldn't be. I can reproduce this if I set the heimdal KDC clock 1 minute ahead. Syncing both client and KDC clocks make it work again, and I can get a service ticket. Output against heimdal, with preauth working, below. /Simon [EMAIL PROTECTED]:~/src/shishi$ shishi -d;~/src/shishi/src/shishi [EMAIL PROTECTED] 2 tickets removed. libshishi: warning: `/usr/local/etc/shishi/shishi.conf': No such file or directory libshishi: warning: /usr/local/etc/shishi/shishi.conf: No such file or directoryEnter password for [EMAIL PROTECTED]': [EMAIL PROTECTED]: Authtime: Sat Apr 22 11:10:00 2006 Endtime: Sat Apr 22 19:09:58 2006 Server: krbtgt/DOPIO.JOSEFSSON.ORG key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: INITIAL PREAUTHENT (1536) [EMAIL PROTECTED]:~/src/shishi$ ~/src/shishi/src/shishi [EMAIL PROTECTED] host/latte libshishi: warning: `/usr/local/etc/shishi/shishi.conf': No such file or directory libshishi: warning: /usr/local/etc/shishi/shishi.conf: No such file or directorylibshishi: warning: KDC bug: Reply encrypted using wrong key. [EMAIL PROTECTED]: Authtime: Sat Apr 22 11:10:00 2006 Starttime: Sat Apr 22 11:10:03 2006 Endtime: Sat Apr 22 19:09:58 2006 Server: host/latte key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: PREAUTHENT TRANSITEDPOLICYCHECKED (5120) [EMAIL PROTECTED]:~/src/shishi$ _______________________________________________ Help-shishi mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-shishi
