>I ran into similar failures between versions of OpenBSD (KDC running current >and older releases on clients) that I was able to debug down to the level of >detecting an error related to "MIC failures". I think I had to bump up >debugging on sshd to get that. >
DS, yah, this appeared in /var/log/authlog for me. >You might try this on the client systems' krb5.conf as it took care of the >problem for me: > >[gssapi] > correct_des3_mic = host/[EMAIL PROTECTED] > >... or whatever appropriate wildcard you should have. > >Assuming this works for you, I'd be interested in knowing what the exact >nature of the problem is, I hate fixing something blindly without knowing >why it's fixed. > this has fixed most of the problems, except i can't ssh out from the KDC using kerberos auth. messing with broken_des3_mic = host/[EMAIL PROTECTED] will probably fix that, haven't tried it yet. i think this reflects that current has heimdal 0.7 and 3.9 release has 0.6. see http://www.thebestisp.com/man.php/man/gssapi/3 . again, i have not throroughly checked this. thx a bunch, jake >DS
