Hmm, yes, diagnostics would be helpful wouldn't they. :P
OK, so things have progressed slightly.
First mistake was finding EXAMPLE.COM in one of my addprincs, and
following your advice, and someone else noting that quite possible two
different encryption types were in use here, I've deleted the two
principles on each realm and run the following on each;
kadmin.local: addprinc -e aes256-cts-hmac-sha1-96:normal
krbtgt/[EMAIL PROTECTED]
kadmin.local: addprinc -e aes256-cts-hmac-sha1-96:normal
krbtgt/[EMAIL PROTECTED]
I also checked clock skew, just in case that was a problem, but openntpd
is doing it's job very well (< 3 seconds difference).
Now I get a string of errors like this;
Nov 22 14:57:55 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, <unknown client> for
host/[EMAIL PROTECTED], Key table entry not found
Nov 22 14:57:56 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, <unknown client> for
host/[EMAIL PROTECTED], Key table entry not found
(atlas being the host I am trying to log in to - Yes, I know that atlas
as the host name is very silly, but it does work for the moment due to
careful DNS wizardry, and an external properly defined host shows
exactly the same errors. I will start using proper fqdns as part of this
process)
As an added wrinkle, trying to log in to the kdc via kadmin gives me the
following errors and kdc log entries;
[EMAIL PROTECTED] ~ $ kadmin -s becks -p edward/[EMAIL PROTECTED]
Authenticating as principal edward/[EMAIL PROTECTED] with password.
Password for edward/[EMAIL PROTECTED]:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Nov 22 15:02:50 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: SERVER_NOT_FOUND: edward/[EMAIL PROTECTED] for
kadmin/[EMAIL PROTECTED], Server not found in Kerberos database
Nov 22 15:02:50 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: NEEDED_PREAUTH: edward/[EMAIL PROTECTED] for
kadmin/[EMAIL PROTECTED], Additional pre-authentication required
Nov 22 15:02:51 becks krb5kdc[5216](info): AS_REQ (7 etypes {18 17 16 23
1 3 2}) 10.37.80.11: ISSUE: authtime 1164160971, etypes {rep=16 tkt=16
ses=16}, edward/[EMAIL PROTECTED] for kadmin/[EMAIL PROTECTED]
I can actually kinit with both my [EMAIL PROTECTED] and
edward/[EMAIL PROTECTED] principles though - so now I'm just plain
confused.
Can anyone help?
Cheers
Edward
Ken Hornstein wrote:
>> addprinc -requires_preauth krbtgt/[EMAIL PROTECTED]
>> addprinc -requires_preauth krbtgt/[EMAIL PROTECTED]
>>
>>
>> And er... it doesn't work. Did I miss something?
>>
>
> Well, there are a few things you are missing. Like, for one ... you
> say it doesn't work. Well, what happens? Do you have an error message?
> Any diagnostics at all?
>
> First off ... are you really sure about the -requires_preauth flag? I
> am 95% sure you don't want it. (I know that documentation you list shows
> that; I am frankly rather surprised that it does, as I can think of only
> a few reasons why you would want that, and a whole bunch why you wouldn't).
> I doubt that's the real problem, though.
>
> --Ken
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
