We ended up deleting the host account in AD and re-creating it, and that solved the issue. My guess is somehow the account got corrupted as we had generated the key many times with not resolve.
-Tyson "Douglas E. Engert" wrote: > [EMAIL PROTECTED] wrote: > > > I'm still getting the error "krb5_verify_init_creds failed: Decrypt > > integrity check failed" What does this mean? Does this mean the > > encryption type is bad? We had this working at one point and > > regernated out host key and now we are getting his strange error. > > > > Its from KRB5KRB_AP_ERR_BAD_INTEGRITY and generated in a copule > of places. After a decrypt operation the message checksum is computed > and compared to the checksum in the message. If they don't agree it > usually means the key used to encrypt does not match the key used to > decrypt. (It could also be the message was modified, or a programing > error with the way the checksum is generated or the key derived.) > > So if you regenerated your hosts keys, it is most likely > they did not get updated correctly. If you have the output file > from the ktpass, you can dump it in hex as well as dump > the krb5.keytab and see if the same keys are in both. > > > > > thanks, > > > > Tyson > > "Douglas E. Engert" wrote: > > > >>Tyson Oswald wrote: > >> > >> > >>>That seems to fix the issue of locking the account but it still > > > > dumps > > > >>>that message in the log. I will try and use use_first_pass and see > > > > if > > > >>>that makes a difference. Adding the pam_getauth_ok seemed to fix > > > > the > > > >>>lockout problem. It's slow going since everything has to be > > > > approved > > > >>>before we can make changes to our AD since we are part of a huge > > > > forrest. > > > >>You say it works with login but not sshd? That would indicate that > > > > the > > > >>Solaris Kerberos libs and pam_krb5 can handle the tickets, and the > > > > decrypt > > > >>message indicates that the password could not be turned into a key as > > > > expected. > > > >>You could also write a simple PAM debug exit of your own, and have it > >>log the user and password as seen by PAM. Then include this before > > > > and after > > > >>the pam_krb5. It could be the Solaris sshd is not passing the > > > > password > > > >>correctly to PAM. > >> > >>Ethereal might also help to see what packets the are being sent. > >> > >> > >> > >>>thanks for the help. > >>> > >>>Tyson > >>>On Jan 4, 2005, at 02:16 PM, Douglas E. Engert wrote: > >>> > >>> > >>>> > >>>>Tyson Oswald wrote: > >>>> > >>>> > >>>>>Greetings All, > >>>>> I have been making good progress in getting Kerberos to work on > >>>>>Solaris 9 and Windows AD. I have it working very well from the > >>>>>console. Problems arise when I use SSH. I have my pam.conf > >>>>>configured as follows for SSH which is identical to login > >>>>> sshd auth sufficient pam_unix_auth.so.1 > >>>>>sshd auth required pam_krb5.so.1 try_first_pass debug > >>>> > >>>> > >>>>>When I connect to SSH it does an initial call to the DC before I > > > > even > > > >>>>>enter my password, like so > >>>> > >>>> > >>>>So do you also have the sshd auth requisite pam_authok_get.so.1 > >>>>before these? It should prompt for the initial password. It might > >>>>be that the try_first_pass is trying the null string passed by > > > > sshd > > > >>>>to pam, thus the first decrypt failure message. > >>>> > >>>>We are using something like this, but not using the Solaris > > > > pam_krb5: > > > >>>># sshd - keyboard interactive uses all PAM exists, but > >>>># privsep gets in the way. So use force. > >>>># PAM session is called when GSSAPI delegation or > >>>># Kerberos password used, so get AFS token in all > > > > three > > > >>>>cases. > >>>># We want a session type cache, so with ANL PAM > >>>># pass in ccache= > >>>># We need ccache= on HP as it does not have pam_putenv > >>>># RedHat PAM uses session cache already > >>>># > >>>>sshd auth requisite pam_authtok_get.so.1 > >>>>sshd auth required pam_dhkeys.so.1 > >>>>sshd auth sufficient /krb5/lib/pam_krb5.so.1 > > > > use_first_pass > > > >>>>forwardable force_creds cache=/tmp/krb5cc_u%u_p%p > >>>>sshd auth required pam_unix_auth.so.1 > >>>># > >>>>sshd session required pam_unix_session.so.1 > >>>>sshd session required /krb5/lib/pam_afs2.so.1 > >>>># > >>>> > >>>> > >>>>If you are interested, we have MIT Krb5 1.3.5 with OpenSSH-3.9p1 > >>>>working with the Solaris 9 dtlogin, dtsession, xlock, > > > > xscreensaver. > > > >>>>The KDC is Windows 2003 AD. > >>>> > >>>> > >>>> > >>>>> Jan 4 10:03:48 snoopy sshd[19516]: [ID 655841 local6.debug] > >>>>>PAM-KRB5 (auth): pam_sm_authenticate flags=1 > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): attempt_krb5_auth: start: user='cbrown' > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): attempt_krb5_auth: krb5_get_init_creds_password returns: > >>>>>Decrypt integrity check failed > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): clearing initcreds in pam_authenticate() > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): attempt_krb5_auth returning 9 > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 954327 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): prompting for password > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 549540 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): attempt_krb5_auth: start: user='cbrown' > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 179272 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): attempt_krb5_auth: krb5_get_init_creds_password returns: > >>>>>Decrypt integrity check failed > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 399723 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): clearing initcreds in pam_authenticate() > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 833335 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): attempt_krb5_auth returning 9 > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 914654 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): pam_sm_auth finalize ccname env, result =9, env > >>>>>='KRB5CCNAME=FILE:/tmp/krb5cc_106', age = 0, status = 9 > >>>>>Jan 4 10:03:48 snoopy sshd[19516]: [ID 525286 local6.debug] > > > > PAM-KRB5 > > > >>>>>(auth): end: Authentication failed > >>>>> The problem here is it will evantually lock out our domain > > > > account. > > > >>>>>I am pretty sure this is not a Kerberos issue but was wondering > > > > if > > > >>>>>anyone else ran into this issue. I am using Solaris 9 and the > > > > SSH > > > >>>>>that came with it so Sun_SSH_1.0.1. > >>>>> thanks much, > >>>>>Tyson Oswald > >>>>>________________________________________________ > >>>>>Kerberos mailing list [email protected] > >>>>>https://mailman.mit.edu/mailman/listinfo/kerberos > >>>> > >>>> > >>>>-- > >>>> > >>>> Douglas E. Engert <[EMAIL PROTECTED]> > >>>> Argonne National Laboratory > >>>> 9700 South Cass Avenue > >>>> Argonne, Illinois 60439 > >>>> (630) 252-5444 > >>>> > >>> > >>> > >>> > >>> > >>-- > >> > >> Douglas E. Engert <[EMAIL PROTECTED]> > >> Argonne National Laboratory > >> 9700 South Cass Avenue > >> Argonne, Illinois 60439 > >> (630) 252-5444 > >>________________________________________________ > >>Kerberos mailing list [email protected] > >>https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
