You can perform a network trace from AD with netmon.exe to see whether or not you are using TCP. You should be otherwise you would not get a response. If you are getting ASN.1 ending unexpectedly it sounds like a buffer is being truncated somewhere.
Jeffrey Altman Sam Evans wrote: > All: > > I seem to have run into a road block getting my Linux machines to > authenticate against AD when coming in through OpenSSH. > > First, let me start off my listing what my environmnet is: > > Test Client: > * RHEL Linux > * MIT Kerboros v1.4 > * OpenSSH v3.9p1 - Compiled using the following line: > ../configure --with-tcp-wrappers --with-pam > --with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr > --sysconfdir=/etc/ssh > > Active Directory: > * Windows 2003 > > Scenario 1: > > If I use my local account and password, I can get into the machine OK. I > know that OpenSSH is functioning properly. At this point, if I do a > 'kinit' I can successfully authenticate myself against AD and obtain my > Keberos5 ticket. > > Scenario 2: > > If I change my account information to require that authentication take > place using Kerberos, then I get the following error from the ssh daemon: > > debug1: Kerberos password authentication failed: ASN.1 encoding ended > unexpectedly > > -- What I have been able to determine at this point is that if I remove > my userid from the multitude of groups that it belongs to in AD, then I > *can* successfully authenticate myself when I come in through OpenSSH, > using Kerberos. > > -- If I place myself back into the same groups, I cannot authenticate > myself and get the above error. > > In doing some reading, it appears as if I need to force TCP usage in the > MIT Kerberos, which I have done. Everything still works when I do > 'kinit' but nothing has changed in regards to OpenSSH authentication > ability. > > Anyone have any thoughts or suggestions? > > Thanks, > Sam > P -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
