directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject Re: KDC is rejecting my TGS
Date Sun, 22 Nov 2015 03:12:49 GMT
‚ÄčOK, so I fixed the kvno and its still not working.  Looking at the mit
kerberos log I see the following for the control:

Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes
{17 23 16}) 192.168.2.102: NEEDED_PREAUTH: HTTP/s4u.rhelent.lan@RHELENT.LAN
for krbtgt/RHELENT.LAN@RHELENT.LAN, Additional pre-authentication required

Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes
{17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17
tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for
krbtgt/RHELENT.LAN@RHELENT.LAN

Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 etypes
{17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17
tkt=18 ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for
HTTP/freeipa.rhelent.lan@RHELENT.LAN

here's for kerby

Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
{17}) 192.168.2.102: ISSUE: authtime 1448160431, etypes {rep=17 tkt=18
ses=17}, HTTP/s4u.rhelent.lan@RHELENT.LAN for krbtgt/RHELENT.LAN@RHELENT.LAN

Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 192.168.2.102: PROCESS_TGS: authtime 0,  <unknown client> for
HTTP/freeipa.rhelent.lan@RHELENT.LAN, ASN.1 structure is missing a required
field

The TGS_REQ line shows that the client is unknown...so maybe there's an
issue with how the TGT is being used to create SGT in Kerby?

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message