I have a snoop file for a case where pam_krb5 fails with a KRB5_KDCREP_MODIFIED error. Anyone willing to take a look at it to see if the problem is on the Sun or the Heimdal side?
Looking at where that error gets generated in the MIT code (not OpenSolaris, yeah, I know) the routine verify_as_reply() looks likely, but it's clearly not the whole story. The only field that looks mismatched (that verify_as_reply() checks) is the end time: the request is to 2037, and the reply is 24h ahead. I don't see any other mismatched fields between the request and reply. I could be blind though. ;-) Oh, yes, a last nit: ticket_lifetime isn't documented in the krb5.conf man page. That's an MIT problem as well, and I submitted it to them. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
