Re: Preauth and ticket forwarding

Tue, 07 Dec 2004 13:35:31 -0800 

On Tue, Dec 07, 2004 at 12:53:25PM -0800, Donn Cave wrote:
> In case it may help, you can find more detail about the
> preauthentication failure in the syslog output from the KDC.
> The error message can be a little misleading - I believe
> "No such file or directory" really means that the key was
> wrong.  Other errors are "no valid preauth type", which
> I think may commonly be a Microsoft issue, and "Clock skew
> too great."  These messages appear on a separate line, so
> you have to locate the failure event in the log and then
> look for diagnostic messages on the line before.

See, I would expect that, but all I get is this for multiple 
login attempts:

Dec 07 13:12:45 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 
0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required
Dec 07 13:13:16 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 
0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required
Dec 07 13:14:03 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 
0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required
Dec 07 13:15:06 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {3 1 2 16 8 23 
0}) 10.1.16.253: NEEDED_PREAUTH: ptadmin
@IC.COM for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required

And this is the same message I get with a successful kinit from
elsewhere in the system:

Dec 07 11:43:34 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {18 17 16 23 1 
3 2}) 10.1.16.234: NEEDED_PREAUTH: ptadm
[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Additional pre-authentication 
required
Dec 07 11:43:36 kerberos-1 krb5kdc[1163](info): AS_REQ (7 etypes {18 17 16 23 1 
3 2}) 10.1.16.234: ISSUE: authtime 11024
48616, etypes {rep=16 tkt=16 ses=16}, [EMAIL PROTECTED] for krbtgt/[EMAIL 
PROTECTED]

Thanks for the suggestion, though. I looked at some other log files but
I don't think the KDC is writing anywhere else; these lines are coming
from /var/krb5/kdc.log, as specified in /etc/krb5.conf.

-r.

Attachment: signature.asc
Description: Digital signature

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to