Elrond <[EMAIL PROTECTED]> writes: > Okay, this gets weird. > > Base result: shishi works. > > > For the fun / which starts to confuse me: > > heimdal: > I have service accounts in my heimdal-kdc that work, > and I have ones, that don't. I can't really see the > difference. Even doing a "cpw -r broken/service" > (which makes new keys), doesn't help those services. > Newly created principals usually work.
What's the error in the KDC log? Can you re-try the same query a few times? I recall problems with negative ASN.1 integers in some field that contain random data. Sometimes the random data result in a negative ASN.1 integer, and there was some problem in handling them. If the same request works only sometimes, then this may be the cause. > w2k3: > clock skew: > If the w2k3-box is 21seconds ahead of my local box, > I get some "generic error" as TGT time. > If my local box is about a minute ahead, I can at > least get a TGT. > service tickets: > Do not work. > > > What would help you next? For the w2k3-kdc, I can do nearly > everything, including sending you -v*4 and network > captures. For the heimdal one, I have to see (it's half > toy, half real.) Let's start with the w2k3-kdc -v -v -v -v logs for a working TGT request, and then one for a service ticket that fails. Run 'shishi -d' before, to make sure there aren't any old tickets around. Thanks! _______________________________________________ Help-shishi mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-shishi
