Whose telnetd and login are you using? I can see that telnetd is receiving your forwarded tickets (and if this is that telnetd that comes with krb5 it is putting them in a ticket file and setting KRB5CCNAME) Then, depending on how you compiled it, it should hopefully be passing '-f' or '-F' to login to tell it what's up. Your login can then decide to honor/not-honor these forwarded credentials (probably through the krb5_kuserok function).
John > Hi, > > Actually, on rereading the stuff I pasted below, I realized that > my local password _hadnt_ worked. So I tried things again, and here is > what I now get : > > ken@sid:~$ [EMAIL PROTECTED] telnet -axF -k ebiz.austin.ibm.com ebiz.austin.ibm.com > Trying A.B.C.D... > Connected to ebiz.austin.ibm.com (A.B.C.D). > Escape character is '^]'. <telnet > Waiting for encryption to be negotiated... <telnet > [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ] <telnet > [ Kerberos V5 accepted forwarded credentials ] <telnet > done. <telnet > Password for [EMAIL PROTECTED]: <??? > Login incorrect <??? > login: y2kmvs <login > Password for y2kmvs: <login > Last login: Tue Jan 14 15:15:21 from kenneth.austin.ibm.com < : > login/v4: Cannot contact any KDC for requested realm converting to V4 credent ials > [EMAIL PROTECTED]: Internal credentials cache error when initializin g cache > Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown > > This time, the DCE password didnt work at the "Password for > y2kmvs@..." prompt, but worked three lines down. Again, any ideas? > > Thanks, > Kenneth > > ---------- Forwarded message ---------- > Date: Tue, 14 Jan 2003 15:18:34 -0600 (CST) > From: Kenneth Stephen <[EMAIL PROTECTED]> > To: Ken Hornstein <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Problems with kerberized telnetd and telnet - progress! > > > > On Tue, 14 Jan 2003, Ken Hornstein wrote: > > > > > >[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Decrypt integrity check failed ] > > > > This means, essentially, "Password incorrect", and that means that the > > password (key) in your keytab doesn't match the one stored in your KDC > > for this principal. You'll have to get them in sync somehow (I don't > > really know that much about DCE to help you). > > > Ken, > > Even though I couldnt believe that the password was incorrect (I > had carefully typed in the passwords on the DCE and Kerberos side), I > check my assumptions and found out that you were correct. Here is what I > get now : > > ken@sid:~$ kinit [EMAIL PROTECTED] > Password for [EMAIL PROTECTED]: > ken@sid:~$ [EMAIL PROTECTED] telnet -axF -k ebiz.austin.ibm.com ebiz.austin.ibm.com > Trying A.B.C.D. > Connected to ebiz.austin.ibm.com (A.B.C.D). > Escape character is '^]'. > Waiting for encryption to be negotiated... > [ Kerberos V5 accepts you as ``[EMAIL PROTECTED]'' ] > [ Kerberos V5 accepted forwarded credentials ] > done. > Password for [EMAIL PROTECTED]: > Login incorrect > login: y2kmvs > Password for y2kmvs: > y2kmvs: Kerberos password incorrect > Kerberos error: Can't send request (send_to_kdc) > Last login: Tue Jan 14 13:46:44 from kenneth.austin.ibm.com > login/v4: Cannot contact any KDC for requested realm converting to V4 credent ials > Linux ebiz.austin.ibm.com 2.2.20 #2 Fri Dec 7 18:28:51 CST 2001 i586 unknown > > > Actually, I wasnt expecting a password prompt at all. Furthermore, > the password that finally worked isnt the DCE/Kerberos password but the > local password for the id y2kmvs. Any ideas as to what gives? > > Thanks, > Kenneth > > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos