[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "shishi user SERVICE" borked?

From: Simon Josefsson
Subject: Re: "shishi user SERVICE" borked?
Date: Sat, 22 Apr 2006 13:03:41 +0200
User-agent: Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux)

Elrond <address@hidden> writes:

> Okay, this gets weird.
> Base result: shishi works.
> For the fun / which starts to confuse me:
> heimdal:
>     I have service accounts in my heimdal-kdc that work,
>     and I have ones, that don't. I can't really see the
>     difference.  Even doing a "cpw -r broken/service"
>     (which makes new keys), doesn't help those services.
>     Newly created principals usually work.

What's the error in the KDC log?

Can you re-try the same query a few times?  I recall problems with
negative ASN.1 integers in some field that contain random data.
Sometimes the random data result in a negative ASN.1 integer, and
there was some problem in handling them.  If the same request works
only sometimes, then this may be the cause.

> w2k3:
>     clock skew:
>       If the w2k3-box is 21seconds ahead of my local box,
>       I get some "generic error" as TGT time.
>       If my local box is about a minute ahead, I can at
>       least get a TGT.
>     service tickets:
>       Do not work.
> What would help you next? For the w2k3-kdc, I can do nearly
> everything, including sending you -v*4 and network
> captures. For the heimdal one, I have to see (it's half
> toy, half real.)

Let's start with the w2k3-kdc -v -v -v -v logs for a working TGT
request, and then one for a service ticket that fails.  Run 'shishi
-d' before, to make sure there aren't any old tickets around.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]