Update: Sumit, you were right - my problem was related to user password. To be more precise, it wasn't wrong password, but probably some password's properties/policy. After resetting password via IPA console this user is able to login. I don't understand why. But I'm really want to understand what caused to this problem and what is explanation to this magic pam_ldap vs pam_lap+pam_krb5 difference.
On Wed, Jun 26, 2013 at 1:00 PM, Vitaly <[email protected]> wrote: > Well, probably I missed something... > I see very weird thing: when my system-auth pam config *contains* pm_krb5 > module before pam_ldap, use can login. When there is just pam_ldap, user > cannot login. > In assumption that we're able to use LDAP authentication, but some wrong > with Kerberos, situation should be opposite, IMHO. > > Password is right. BTW, is there any way (increase debug level?) to get > more meaningful message? > > > > > On Wed, Jun 26, 2013 at 12:39 PM, Sumit Bose <[email protected]> wrote: > >> On Wed, Jun 26, 2013 at 12:28:57PM +0300, Vitaly wrote: >> > How I should debug & fix "Decrypt integrity check failed" problem? >> >> This typically means wrong password. >> >> HTH >> >> bye, >> Sumit >> > >> > TIA, >> > Vitaly >> > >> > >> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7748](info): AS_REQ (12 >> > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.99.21: >> NEEDED_PREAUTH: >> > [email protected] for krbtgt/[email protected], >> > Additional pre-authentication required >> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7767](info): preauth >> > (timestamp) verify failure: Decrypt integrity check failed >> > Jun 26 09:06:10 serv02.prod.example.com krb5kdc[7767](info): AS_REQ (12 >> > etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.99.21: >> PREAUTH_FAILED: >> > [email protected] for krbtgt/[email protected], >> > Decrypt integrity check failed >> >> > _______________________________________________ >> > Freeipa-users mailing list >> > [email protected] >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
