[19460] in Kerberos
Trouble with authentication.
daemon@ATHENA.MIT.EDU (Matthijs Mohlmann)
Sun Jun 22 04:44:11 2003
From: Matthijs Mohlmann <matthijs@active2.homelinux.org>
To: kerberos@mit.edu
Content-Type: text/plain
Message-Id: <1056271381.428.29.camel@Active2>
Mime-Version: 1.0
Date: 22 Jun 2003 10:43:01 +0200
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
I am setting up a KerberosV server for the first time. I am using Debian
and i've downloaded the source from the unstable. Here are the commands
i used to setup my KerberosV server.
First create a database:
kdb5_util create -r ACTIVE2.HOMELINUX.ORG -s
echo "*/admin@ACTIVE2.HOMELINUX.ORG *" > /etc/krb5kdc/kadm5.acl
Then i create the principal root/admin@ACTIVE2.HOMELINUX.ORG with the
kadmin.local binary.
Then i create the keytab for the kadmind service.
ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Then starting the servers. And all works perfectly.
Then i add all my hosts to the kerberos server:
addprinc -randkey host/tux.active2.homelinux.org
I have 5 hosts for learning KerberosV.
Then i made a policy for my users:
addpol -maxlife "1 year" -minlife "6 months" -minlength 4 -minclasses 1
-history 3 insecure
And then adding a user:
addprinc -policy insecure +requires_preauth +allow_forwardable
matthijs@ACTIVE2.HOMELINUX.ORG
And if i get a client and i do so:
$ kinit
Password for matthijs@ACTIVE2.HOMELINUX.ORG:
$
All is oke but after a couple of hours (mostly 3 a 4 hours)
$ kinit
Password for matthijs@ACTIVE2.HOMELINUX.ORG:
kinit(v5): Password incorrect while getting initial credentials
$
hmm.. password incorrect.
i'm using that password for several accounts and now that password is
incorrect.. little confused
The log on the server:
Jun 22 10:33:04 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: NEEDED_PREAUTH: matthijs@ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG@ACTIVE2.HOMELINUX.ORG, Additional
pre-authentication required
Jun 22 10:33:07 Server krb5kdc[202](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: PREAUTH_FAILED: matthijs@ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG@ACTIVE2.HOMELINUX.ORG, Decrypt integrity
check failed
Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: NEEDED_PREAUTH: matthijs@ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG@ACTIVE2.HOMELINUX.ORG, Additional
pre-authentication required
Jun 22 10:33:07 Server krb5kdc[202](info): preauth (timestamp) verify
failure: Decrypt integrity check failed
Jun 22 10:33:07 Server krb5kdc[202](info): AS_REQ (3 etypes {3 16 1})
192.168.0.2: PREAUTH_FAILED: matthijs@ACTIVE2.HOMELINUX.ORG for
krbtgt/ACTIVE2.HOMELINUX.ORG@ACTIVE2.HOMELINUX.ORG, Decrypt integrity
check failed
Here i see my timestamp is not oke. But i have run:
ntpdate fistix.xs4all.nl
on all my machines.
This is almost the newest version on my server. On my clients i have the
same version.
Now i'm using the version: 1.2.99-1.3.beta3-4 (Debian version)
My server is going off every evening and comes up every morning. Because
the energy bill. My router is running every day and is running OpenBSD
3.3 that have the Heimdal implementation of kerberosV.
Maybe i do something wrong.
I'm now a little confused.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
