Authentication Error Failed Reading Application Request
() windlord ! stanford ! edu [Download message RAW] "Mendez, Franklyn"
[OpenAFS] Please unsubscribe me Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] This is a cryptographically signed message in MIME format. --------------ms030102060504060902000605 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Pucky Loucks wrote: > So I've got MIT kerberos up and running in my dev Cell http://marc.info/?l=kerberos&m=123930113124395 and it's great. > Thanks to all those who help regarding my last post. > > Now I'm a little confused, regarding the changing of a password, should > I be using the MIT kpasswd or the openafs https://lists.openafs.org/pipermail/openafs-info/2006-March/021776.html one? using the MIT I get the > error that is in the subject line, using the openafs version it times > out (I'm thinking this is cuz kaserver is shutoff) Do I need to > configure something on the afsdb nodes to pass the changes to the > kerberos server? Or should I be looking into why the MIT kpasswd isn't > working. > > Thanks, You use the MIT kpasswd to change passwords in the MIT KDC. Jeffrey Altman --------------ms030102060504060902000605 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJXzCC AwowggJzoAMCAQICAw7NrTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwNTI3MTc0NzU3WhcNMDYwNTI3MTc0NzU3 WjBzMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT SmVmZnJleSBFcmljIEFsdG1hbjErMCkGCSqGSIb3DQEJARYcamFsdG1hbkBzZWN1cmUtZW5k cG9pbnRzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjPyrF+rdjOUSK/ bWwZHdx5p1+y6iiCd4vvYEVDxouYFp5C/fZEWm5n45ubBUbMSUI1MAZN6ooEoH09UTj6BXhM S8B987ls81dKOIUphTF2jOzq8gsFmeA15yHMRAD20LqUWeLyvYk8FCNQw+dsKMMhX+WdsxOm RY/1jPkJL6oN8kEwoUFkOX9/OfWWh6oFnV6faiEHUKDMFubsb9X0KVD8iIeR7Cxz7i4kXqRX wMlp2fyoxcDIJrBaTY8nA++g3p34IkWt1a5po6g683nIgSnGpwYIwuJheBqSEZfLYWa+1KdD 6Sn27Ud94GqUvPVG5jC6zVC5EJ2aWuoAu+nNuV8CAwEAAaM5MDcwJwYDVR0RBCAwHoEcamFs dG1hbkBzZWN1cmUtZW5kcG9pbnRzLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA A4GBADtvO//tjiAV6VJGtoNtrl34mB5jGyGTiotzw8riB6zz0GvY11bcWDmp6JKif+pVG+8L IySDosbuva13qu2HwYUxBmWc7CoNd2k9kRlcrfbDUTTrGOZK8qyqNqT3gQZTAa9ZnUI0su9G y/n2o5bQcaYdqR3htNrpvdLSPOWhILOXMIIDCjCCAnOgAwIBAgIDDs2tMA0GCSqGSIb3DQEB BAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBM dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0w NTA1MjcxNzQ3NTdaFw0wNjA1MjcxNzQ3NTdaMH
Open this post in threaded view ♦ ♦ | Report Content as Inappropriate ♦ ♦ Problems with kadmind, kpasswd and cross-realm authentication I have http://kerberos.996246.n3.nabble.com/Problems-with-kadmind-kpasswd-and-cross-realm-authentication-td17265.html created several cross-realm trusts on a test server. At this point, nearly everything is working properly. However, users are unable to change their passwords unless their account is in http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.kerberos/2009-04/msg00036.html the initial domain. Users see the following when attempting it from the initial domain: # kpasswd Password for [hidden email]: Enter new password: Enter it again: Password changed. authentication error # Unfortunately, following happens for additional domains: # kpasswd Password for [hidden email]: Enter new password: Enter it again: Authentication error: Failed reading application request # An strace of the kadmind daemon during a failed request shows the following: Process 1123 attached - interrupt to quit select(8, [6 7], NULL, NULL, {10, 890000}) = 0 (Timeout) select(8, [6 authentication error failed 7], NULL, NULL, {15, 0}) = 1 (in [7], left {12, 140000}) recvfrom(7, "\2\37\0\1\1\272n\202\1\2660\202\1\262\240\3\2\1\5\241\3"..., 1500, 0, {sa_family=AF_INET, sin_port=htons(2051),
sin_addr=inet_addr("10.0.1.7")}, [16]) = 543 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 10 connect(10, {sa_family=AF_INET, sin_port=htons(2051),
sin_addr=inet_addr("10.0.1.7")}, 16) = 0 time(NULL) = 1188946658 close(10) = 0 sendto(7, "\0\207\0\1\0\0~\1770}\240\3\2\1\5\241\3\2\1\36\244\21\30"..., 135, 0, {sa_family=AF_INET, sin_port=htons(2051),
sin_addr=inet_addr("10.0.1.7")}, 16) = 135 select(8, [6 7], NULL, NULL, {15, 0}
new password: Enter it again: Authentication error: Failed reading application request On the Server's side I do see the client trying to change the user's password but no more detail: Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18
3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16
ses=16}, user@xxxxxxxxxxxxx for kadmin/changepw@xxxxxxxxxxxxx Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18
3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16
ses=16}, user@xxxxxxxxxxxxx for kadmin/changepw@xxxxxxxxxxxxx Kind of an obvious question, but are you running kadmind on the server? Your logs show the KDC traffic that would happen prior to the the kadmind connection, but nothing logged from kadmind. -- Russ Allbery (rra@xxxxxxxxxxxx)