Thanks a lot for your reply! Somehow I missed that error. I removed my keytab and created a new one using your guide. But it seams to be something wrong with the keytab.
> ktutil ktutil: addent -password -p host/sa-1.base.kplatsen.local -k 1 -e des-cbc-md5 Password for host/[email protected]: (Entering the password stored in the LDAP, for this entry) ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 host/[email protected] ktutil: wkt wkt: must specify keytab to write ktutil: wkt /etc/krb5.keytab ktutil: quit > klist -5ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/[email protected] (DES cbc mode with RSA-MD5) > kinit -k -t /etc/krb5.keytab host/[email protected] kinit: Password incorrect while getting initial credentials /Andreas ----- Ursprungligt meddelande ----- Från: "Stefan Seelmann" <[email protected]> Till: [email protected] Skickat: onsdag, 3 feb 2010 20:43:13 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Ämne: Re: Kerberized SSH keeps asking for password Hi Andreas, oh, huge log ;-) Andreas Backman wrote: > [08:59:49] DEBUG > [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] > - Responding with Authentication Service (AS) reply: > messageType: AS_REP > protocolVersionNumber: 5 > nonce: 790659966 > clientPrincipal: [email protected] > client realm: KPLATSEN.LOCAL > serverPrincipal: krbtgt/[email protected] > server realm: KPLATSEN.LOCAL > auth time: 20100203075949Z > start time: null > end time: 20100204075942Z > renew-till time: null > hostAddresses: null here you got the TGT... > [09:00:26] DEBUG > [org.apache.directory.server.kerberos.kdc.ticketgrant.TicketGrantingService] > - Responding with Ticket-Granting Service (TGS) reply: > messageType: TGS_REP > protocolVersionNumber: 5 > nonce: 1265184026 > clientPrincipal: [email protected] > client realm: KPLATSEN.LOCAL > serverPrincipal: host/[email protected] here you got the service ticket... > [09:00:46] WARN > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > Integrity check on decrypted field failed (31) > org.apache.directory.server.kerberos.shared.exceptions.KerberosException: > Integrity check on decrypted field failed ... > [09:00:46] DEBUG > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - > Responding to request with error: > explanatory text: Integrity check on decrypted field failed > error code: 31 > clientPrincipal: null > client time: null > serverPrincipal: krbtgt/[email protected] > server time: 20100203080046Z I guess there is a problem with your keys. Could you please verify that your sshd keytab is ok? You could also try to run sshd in debug mode. BTW: I was able to get a kerberized SSHD running (on localhost) and updated the guide [1]. Kind Regards, Stefan [1]http://cwiki.apache.org/DIRxINTEROP/kerberos-authentication-to-sshd.html -- Med vänlig hälsning Andreas Backman 031-352 33 03 0709-26 33 82 www.kontorsplatsen.se
