Your message dated Mon, 01 Sep 2008 07:58:20 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#497311: libpam-krb5: gnome-screensaver woes
has caused the Debian Bug report #497311,
regarding libpam-krb5: gnome-screensaver woes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
497311: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497311
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-krb5
Version: 3.11-2
Architecture: amd64
I'm unable to get libpam-krb5 to give me kerberos tickets when unlocking
the screen.
syslog contains:
Aug 31 21:16:45 xoog gnome-screensaver-dialog: (pam_krb5): tfheen: credential
verification failed: Decrypt integrity check failed
gnome-screensaver's pam config is:
@include common-auth
auth optional pam_gnome_keyring.so
and common-auth contains:
auth sufficient pam_krb5.so forwardable ccache=/tmp/krb5cc_%u_XXXXXX
auth required pam_unix.so nullok_secure use_first_pass
Server is heimdal-kdc from etch/amd64:
ii heimdal-kdc 0.7.2.dfsg.1-10 KDC for Heimdal Kerberos
Please tell me if there's more information I can provide that'll help
solve this problem.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
--- End Message ---
--- Begin Message ---
]] Russ Allbery
| Tollef Fog Heen <[EMAIL PROTECTED]> writes:
|
| > I'm unable to get libpam-krb5 to give me kerberos tickets when unlocking
| > the screen.
| >
| > syslog contains:
| >
| > Aug 31 21:16:45 xoog gnome-screensaver-dialog: (pam_krb5): tfheen:
credential verification failed: Decrypt integrity check failed
|
| That error message means that when pam_krb5 attempted to verify the
| Kerberos authentication by checking a service ticket obtained with the TGT
| against your local keytab file, it was able to read the keytab file but
| checking the service ticket failed.
|
| Things to check:
|
| * Does /etc/krb5.keytab (or whatever KRB5_KTNAME is set to in the
| environment) have a reasonable principal and key in it? Generally, it
| should be host/<system>.
Yes.
| * Is that the current key? The most common cause of this problem is an
| outdated keytab for a principal whose key has since changed.
Ah, this was the problem. Re-exporting the key from the kdc fixed the
problem. Thanks for the help!
(Closing the bug myself.)
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
--- End Message ---
