> Hey all, > > I'm trying to configure a Solaris 9 server to authenticate against an > Win 2000 ADS server with mixed results and was looking for some > insight. > > So here's the thing; Once logged in, I can run kinit and aquire a > ticket: > > # kinit > Password for [EMAIL PROTECTED]: > # klist > Ticket cache: /tmp/krb5cc_7155 > Default principal: [EMAIL PROTECTED] > > Valid starting Expires > Service principal > Thu Mar 30 16:14:41 2006 Fri Mar 31 02:14:41 2006 > krbtgt/[EMAIL PROTECTED] > renew until Thu Apr 06 17:14:41 2006 > > > But, I can not authenticate with PAM to save my life (with any remote > client; telnet, ssh, etc). > > Sshd's PAM entry looks like: > > sshd auth requisite pam_authtok_get.so.1 > sshd auth required pam_dhkeys.so.1 > sshd auth required pam_krb5.so.1 use_first_pass debug > sshd auth sufficient pam_unix_auth.so.1 > > The errors I get in /var/adm/messages are: > > Mar 30 16:19:21 servername sshd[3245]: [ID 537602 auth.error] > PAM-KRB5 (auth): krb5_verify_init_creds failed: Decrypt integrity check > failed
When you authenticate by remotely-verified password instead of with a ticket, the server does an extra Kerberos exchange to prevent a KDC spoofing attack: it acquires a host ticket for the local host. So, the problem might be with your host key / keytab. I would snoop the Kerberos traffic to see what's going by. -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
