Re: kerberos debugging troubles
From: [EMAIL PROTECTED] > >Assuming this works for you, I'd be interested in knowing > what the exact > >nature of the problem is, I hate fixing something blindly > without knowing > >why it's fixed. > > this has fixed most of the problems, except i can't ssh out > from the KDC using > kerberos auth. messing with broken_des3_mic = host/[EMAIL PROTECTED] > will probably fix > that, haven't tried it yet. > > i think this reflects that current has heimdal 0.7 and 3.9 > release has 0.6. see > http://www.thebestisp.com/man.php/man/gssapi/3 . again, i > have not throroughly > checked this. To turn on compatibility with older clients and servers, change the [gssapi] broken_des3_mic in krb5.conf that contains a list of globbing expressions that will be matched against the server name. To turn off generation of the old (incompatible) mic of the MIC use [gssapi] correct_des3_mic. So maybe you need 'broken_des3_mic' on the KDC instead of 'correct_des3_mic'. DS
Re: kerberos debugging troubles
>I ran into similar failures between versions of OpenBSD (KDC running current >and older releases on clients) that I was able to debug down to the level of >detecting an error related to "MIC failures". I think I had to bump up >debugging on sshd to get that. > DS, yah, this appeared in /var/log/authlog for me. >You might try this on the client systems' krb5.conf as it took care of the >problem for me: > >[gssapi] >correct_des3_mic = host/[EMAIL PROTECTED] > >... or whatever appropriate wildcard you should have. > >Assuming this works for you, I'd be interested in knowing what the exact >nature of the problem is, I hate fixing something blindly without knowing >why it's fixed. > this has fixed most of the problems, except i can't ssh out from the KDC using kerberos auth. messing with broken_des3_mic = host/[EMAIL PROTECTED] will probably fix that, haven't tried it yet. i think this reflects that current has heimdal 0.7 and 3.9 release has 0.6. see http://www.thebestisp.com/man.php/man/gssapi/3 . again, i have not throroughly checked this. thx a bunch, jake >DS
Re: kerberos debugging troubles
From: [EMAIL PROTECTED] > the KDC is the only machine on the network that is running > current (snap > upgraded last night), the rest are on 3.9 release. here are > the debugging outputs: > debug1: Next authentication method: gssapi-with-mic > debug2: we sent a gssapi-with-mic packet, wait for reply > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Authentications that can continue: > publickey,gssapi-with-mic,password,keyboard-interactive > > the ssh -vvv outputs are not that enlightening, syslogging > auth.debug doesn't > show anything extra and it's not clear how to, if possible, > turn up the kerberos > log level. > > any advice would be appreciated. i suspect that this is some > issue related to > the KDC runnning current and the other machines being on 3.9 release. I ran into similar failures between versions of OpenBSD (KDC running current and older releases on clients) that I was able to debug down to the level of detecting an error related to "MIC failures". I think I had to bump up debugging on sshd to get that. You might try this on the client systems' krb5.conf as it took care of the problem for me: [gssapi] correct_des3_mic = host/[EMAIL PROTECTED] ... or whatever appropriate wildcard you should have. Assuming this works for you, I'd be interested in knowing what the exact nature of the problem is, I hate fixing something blindly without knowing why it's fixed. DS
Re: kerberos debugging troubles
On Sun, 2006-07-09 at 18:58 -0500, Jacob Yocom-Piatt wrote: > any advice would be appreciated. i suspect that this is some issue related to > the KDC runnning current and the other machines being on 3.9 release. this shouldn't matter as the language heimdal speaks is the same, for the most part as far as I know, across versions. Thus the reason you can have MIT and Heimdal servers and clients talk to each other. when running into problems with SSH, the first culprit I always look for is to make sure that the clocks on the corresponding hosts are relatively close. Heimdal usually allows for a 5 minute difference in time on the communicating hosts but can be changed with the 'clockskew' setting in your krb5.conf. later. ryanc -- Ryan Corder <[EMAIL PROTECTED]> Systems Engineer, NovaSys Health LLC. 501-219- ext. 646
