Problems with Krb5/GSSAPI patches in FBSD 4.3

[Simon Wilkinson]

On Monday 21 May 2001 23:39, Peter Losher wrote:
> On a FreeBSD 4.3-STABLE system (with both the integrated Heimdal libs and
> the MIT Krb5 package from ports intstalled).  I patched the src tree,
> reconfigured, recompiled, installed, and it works - except for Krb5
> passwords or Krb5 tickets.  And I really can't tell if the patches are even
> working or if it contacts the KDC (no error message shows up on console or
> in /var/log/messages)  It just rejects my Krb5 password.

The protocol 2 GSSAPI patch doesn't do password authentication - just 
credentials authentication. If you're wanting to verify Kerberos passwords on 
the server, I'd recommend looking at a different solution.

However, if you are wanting to do credentials based authentication (where you 
kinit on the client before connecting to the server), you might want to try 
the following:

Things to check:
1) On the client side - does your credentials cache contain a valid credential
2) On the server side - does the default keytab (usually /etc/krb5.keytab) 
    contain a correct host principal - usually host/<fully-qualified-hostname>
3) Are you using protocol version 2 (2.9p1 should default to this - but you
   should force it for testing using -2 on the command line)

If its still not working, please mail me a debug trace from both the client 
and the server (use ssh -v and sshd -d), including the arguments you started 
them with. Please let me know how you get on!

Thanks,

Simon.

-- 
Simon Wilkinson            <simon at sxw.org.uk>          http://www.sxw.org.uk
"When all you have is an axe, every problem looks like fun"