Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Preauth failed

60 views
Skip to first unread message

Jerome Walter

unread,
Aug 19, 2003, 6:03:03 AM8/19/03
to
Hi,

I am setting up a kerberos realm on which GNU/Linux, Solaris and Win2k
stations would authenticate.
From now, i have now problem with GNU/Linux (Debian) stations, they
authenticate perfectly.

Solaris 9 stations gives me more problems, using SEAM. When kinit'ing i get a
Preauthentication failed while getting initial credentials.
Ethereal gives me no other message that "PREAUTH_FAILED" and
"KRB5KDC_ERR_PREAUTH_FAILED".

And then, Windows are the worst. A few time ago, the cross-realm between AD
KDC and my MIT one worked just well. Having to change a few things playiong
with AFS, it suddenly didn't worked at all then : preauth_required. Windows
stations never sends a second message with preauth info.

Has anyone seet this up, and could give me some advices or tips on how to get
this to work again ?

TIA

Jerome Walter


--
-+-- Jérôme Walter - I2 EFREI ----+-
Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
"The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/

Wyllys Ingersoll

unread,
Aug 19, 2003, 12:04:12 PM8/19/03
to kerb...@mit.edu
Jerome Walter wrote:
> Hi,
>
> I am setting up a kerberos realm on which GNU/Linux, Solaris and Win2k
> stations would authenticate.
>>From now, i have now problem with GNU/Linux (Debian) stations, they
> authenticate perfectly.
>
> Solaris 9 stations gives me more problems, using SEAM. When kinit'ing i get a
> Preauthentication failed while getting initial credentials.
> Ethereal gives me no other message that "PREAUTH_FAILED" and
> "KRB5KDC_ERR_PREAUTH_FAILED".
>

Make sure you are only using DES keys for the Solaris client principals.
Solaris 9 SEAM does not support 3DES enctypes.

Also, check the time delta between the Solaris clients and the KDC.

Finally - check sunsolve.sun.com for the latest patches for Kerberos (SEAM),
there are several that might fix this problem.

-Wyllys

________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Sam Hartman

unread,
Aug 19, 2003, 2:56:12 PM8/19/03
to kerb...@mit.edu
Hi. You probably want to remove the requires_preauth attribute for
the cross-realm keys and for the local krbtgt key.
That will probably help with windows.

You may find that upgrading to the krb5-kdc package from Debian
unstable (which can probably be rebuilt for stable fairly easily)
fixes your Solaris problems.

Sun may also have a patch for the etype_info
issue available; I'm not sure.

Jerome Walter

unread,
Aug 22, 2003, 5:10:19 AM8/22/03
to
Jerome Walter wrote :
> Hi,
[snip]

Sorry for not replying to you. Apparently, the news server at school has his
drives full and do not get your answers. I read them in the archives and it
does have resolved all my problems, especially on Windows. Solaris problem was
just a corrupted or wrong keytab trick.

Thank you for all.


Jerome

0 new messages