So, I have been able to solve the pre auth problem but, a new one came up...!
I log in as kerberos-test in the machine, I get the ticket correctly and I am able to query the ldap database with ldapsearch. However, when I log in as kerberos-test2 and perform the same query, I get this error: krb5kdc[3560](info): preauth (timestamp) verify failure: Decrypt integrity > check failed So the thing is: with "kerberos-test" user I have a correct pre-authentication, but with "kerberos-test2" (or any other user btw) no. What is causing this difference? Best regards, Tiago On Thu, Feb 23, 2012 at 10:34 AM, Tiago Elvas <[email protected]> wrote: > I have followed that tutorial to setup my machine without success, that's > when I wrote to this list initially. > > As for the "Decrypt integrity check failed", I can do a kinit and > successfully receive a ticket. Eventually, what's failing could be that the > password is being encrypted in the client machine and then not successfully > decrypted on the server side, I don't really know.. > > As for the password itself I am sure it is being typed correctly :) > > > I still don't understand what is this pre-authentication, how it is > performed and how/when it is being used or checked. Could you clarify this? > > Thanks once again, > > Tiago > > > On Wed, Feb 22, 2012 at 8:44 PM, Mantas M. <[email protected]> wrote: > >> On Wed, Feb 22, 2012 at 08:41:15PM +0100, Tiago Elvas wrote: >> > Thanks for the tip. >> > >> > I know have the following error: >> > >> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 >> 23 >> > 16 17}) 172.23.14.210: NEEDED_PREAUTH: [email protected] for >> > krbtgt/[email protected], Additional pre-authentication >> required >> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): preauth (timestamp) >> verify >> > failure: Decrypt integrity check failed >> > Feb 22 20:39:37 ldapserver krb5kdc[10211](info): AS_REQ (5 etypes {3 1 >> 23 >> > 16 17}) 172.23.14.210: PREAUTH_FAILED: [email protected] for >> > krbtgt/[email protected], Decrypt integrity check failed >> > >> > Any clue on what's failing? >> >> "Decrypt integrity check failed" almost always means "the password given >> to `kinit` was incorrect". >> >> > Another question, how should I configure openDS access control to accept >> > GSSAPI with kerberos tickets? >> >> I believe this is already documented at < >> https://www.opends.org/wiki/page/GSSAPIConfiguration>. >> >> -- >> Mantas M. >> > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
