On Thu, 11 Jul 2013 17:07:02 +0200 Mathias Feiler <[email protected]> wrote:
> Well, I can kinit w/o any trouble and even get my AFS-token > thus I expect heimdal itself to be some how ok. It sounds like AFS itself is probably ok, too, then :) > I have actually no idea what the term > "credential verification failed: encryption key has bad length" > wants to tell me , nor where to look for some causing oddities. That seems more like an internal error than anything you did wrong. I assume it has to do with an encryption key being a different length than the encryption type says it should be. The reason why pam_krb5 is probably failing but 'kinit' is not, is because I think pam_krb5 implementations generally do an additional verification step against the host/* keytab (so you can't break in by faking a KDC response). > Does anyone else got an Idea? Any hint is very welcome. I don't think this has anything to do with AFS; it's failing on the pam_krb5 invocation before we get to anything AFS-related. I would ask on a Heimdal or Kerberos list for help. This list is for development of OpenAFS. But if you want some guesses from me, you could using a different pam_krb5 (such as libpam-krb5). Or, you could try re-extracting the host/* principals in your /etc/krb5.keytab. Those are just guesses, though, and you would get better answers on a Kerberos-related list. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
