Thanks for still bearing with me!
On Tue, Dec 07, 2010 at 10:14:08AM -0500, Sam Hartman wrote:
> Can you try turning off delegated credentials? GSSAPIDelegateCreds no
> in your client config? This is a shot in the dark, but I don't think
> I've ever seen a problem with the authenticator path once the ticket is
> decrypted. There is a first for everything, but the delegation path is
> more fragile.
I did not notice any difference with ssh -vv -o
GSSAPIDelegateCredentials=no someserver.
However I invested some time debugging kerberos with printf. The
KRB5_TRACE output originates from rd_req_decoded_opt
(src/lib/krb5/krb/rd_req_dec.c). So I added some printfs and found out
that the krb5int_authdata_verify call fails. The function can be found
in src/lib/krb5/krb/authdata.c. The function contains the following
code:
if (code == 0 && module->ftable->verify != NULL) {
code = (*module->ftable->verify)(kcontext,
context,
module->plugin_context,
*(module->request_context_pp),
auth_context,
key,
ap_req);
}
I found out that the branch is taken and code gets 2. What does 2 mean?
Any clue how I could go on from here?
On #kerberos Renegade suggested that allow_weak_crypto=true could help.
It did not have a noticable effect though.
Helmut
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
