Hi List I'm trying to configure a (Ubuntu/Debian) Linux server as a kerberos client with our current kerberos infrastructure. I would like users to authenticate ssh logins to the system using kerberos, and so I'm using the pam_krb5 pam module. However, Krb5 authentication fails with the following significant error when I attempt ssh to the server:
"krb5_get_init_creds_password: Decrypt integrity check failed" I've carefully confirmed the host principal on my KDC and krberos master, and triple-checked the krb5.conf and krb5.keytab, and connectivity between the client and the KDC, as well as ntp time synchronisation between all the systems involved. My question is: Is there some way I can debug this to a deeper level in order to pinpoint exactly why "Decrypt integrity check failed" ... I've tried sniffing packets during the communications between the client and the master kdc, unfortunately, the contents are largely encrypted, so I can't find any further data. Also, I've searched for more detailed debugging options for pam_krb5, ut it doesn't look like any exist ... the krb5kdc.log doesn't seem to offer more detailed information either ... The full pam_krb5 debug trace is as follows: --- Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (0x4) Apr 11 11:54:32 linux-server01 sshd[16073]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success) Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1) Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) attempting authentication as [email protected] Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): (user bobjones) krb5_get_init_creds_password: Decrypt integrity check failed Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): authentication failure; logname=bobjones uid=0 euid=0 tty=ssh ruser= rhost=marvel.ops.evasive.org.za Apr 11 11:54:41 linux-server01 sshd[16160]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure) --- Many thanks in Advance, Traiano Welcome ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
