Thanks for still bearing with me! On Tue, Dec 07, 2010 at 10:14:08AM -0500, Sam Hartman wrote: > Can you try turning off delegated credentials? GSSAPIDelegateCreds no > in your client config? This is a shot in the dark, but I don't think > I've ever seen a problem with the authenticator path once the ticket is > decrypted. There is a first for everything, but the delegation path is > more fragile.
I did not notice any difference with ssh -vv -o GSSAPIDelegateCredentials=no someserver. However I invested some time debugging kerberos with printf. The KRB5_TRACE output originates from rd_req_decoded_opt (src/lib/krb5/krb/rd_req_dec.c). So I added some printfs and found out that the krb5int_authdata_verify call fails. The function can be found in src/lib/krb5/krb/authdata.c. The function contains the following code: if (code == 0 && module->ftable->verify != NULL) { code = (*module->ftable->verify)(kcontext, context, module->plugin_context, *(module->request_context_pp), auth_context, key, ap_req); } I found out that the branch is taken and code gets 2. What does 2 mean? Any clue how I could go on from here? On #kerberos Renegade suggested that allow_weak_crypto=true could help. It did not have a noticable effect though. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org