From: [EMAIL PROTECTED]
> the KDC is the only machine on the network that is running
> current (snap
> upgraded last night), the rest are on 3.9 release. here are
> the debugging outputs:
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> debug1: Delegating credentials
> debug1: Delegating credentials
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
>
> the ssh -vvv outputs are not that enlightening, syslogging
> auth.debug doesn't
> show anything extra and it's not clear how to, if possible,
> turn up the kerberos
> log level.
>
> any advice would be appreciated. i suspect that this is some
> issue related to
> the KDC runnning current and the other machines being on 3.9 release.
I ran into similar failures between versions of OpenBSD (KDC running current
and older releases on clients) that I was able to debug down to the level of
detecting an error related to "MIC failures". I think I had to bump up
debugging on sshd to get that.
You might try this on the client systems' krb5.conf as it took care of the
problem for me:
[gssapi]
correct_des3_mic = host/[EMAIL PROTECTED]
... or whatever appropriate wildcard you should have.
Assuming this works for you, I'd be interested in knowing what the exact
nature of the problem is, I hate fixing something blindly without knowing
why it's fixed.
DS
