[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Decoding transited encoding: KDC policy rejects request

To: heimdal-discuss@sics.se
Subject: Decoding transited encoding: KDC policy rejects request
From: Benjamin P Myers <dative@sukrahelitek.com>
Date: Wed, 25 Aug 2004 18:25:20 -0500
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.4.3

Hi,

I'm running SuSE 9.0, using SuSE's heimdal rpm, and am having some trouble.  
I've just converted my mit kdc over to heimdal, had to compile a hprop with 
the patch from here: 
http://www.stacken.kth.se/lists/heimdal-discuss/2003-10/msg00073.html

My accounts work fine, but whenever I 'afslog':

/tmp> kinit dative
dative@SUKRAHELITEK.COM's Password:
/tmp> klist -v
Credentials cache: FILE:/tmp/krb5cc_502
        Principal: dative@SUKRAHELITEK.COM
    Cache version: 4

Server: krbtgt/SUKRAHELITEK.COM@SUKRAHELITEK.COM
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Aug 25 18:16:05 2004
End time:   Aug 26 04:16:05 2004
Ticket flags: initial
Addresses: IPv4:10.0.2.1

/tmp> afslog -v
krb5 tried afs@SUKRAHELITEK.COM -> -1765328372
krb5 tried afs/sukrahelitek.com@SUKRAHELITEK.COM -> -1765328377
krb5 tried afs@SUKRAHELITEK.COM -> -1765328372
krb5 tried afs/sukrahelitek.com@SUKRAHELITEK.COM -> -1765328377
afslog: krb5_afslog((null)): Server not found in Kerberos database

Here's (I think) the relevant part of the log:
AS-REQ dative@SUKRAHELITEK.COM from IPv4:10.0.2.1 for 
krbtgt/SUKRAHELITEK.COM@SUKRAHELITEK.COM
TGS-REQ dative@SUKRAHELITEK.COM from IPv4:10.0.2.1 for afs@SUKRAHELITEK.COM
Decoding transited encoding: KDC policy rejects request

THis might be useful:
# kadmin -l
kadmin> get afs
               Principal: afs@SUKRAHELITEK.COM
       Principal expires: never
        Password expires: never
    Last password change: never
         Max ticket life: 10 hours
      Max renewable life: 1 week
                    Kvno: 1
                   Mkvno: 0
                  Policy: none
   Last successful login: never
       Last failed login: never
      Failed login count: 0
           Last modified: 2003-10-18 21:33:38 UTC
                Modifier: root/admin@SUKRAHELITEK.COM
              Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt)

I've exhausted most everything I can think to do (twice, in many cases), 
except to ask for advice. Any suggestions?

Regards and thanks,
-Ben

Follow-Ups:
- Re: Decoding transited encoding: KDC policy rejects request
  - From: Andreas Haupt <andreas.haupt@hmi.de>

Prev by Date: PKINIT + heimdal snapshot: certificate authentication does not work
Next by Date: Re: Decoding transited encoding: KDC policy rejects request
Prev by thread: PKINIT + heimdal snapshot: certificate authentication does not work
Next by thread: Re: Decoding transited encoding: KDC policy rejects request
Index(es):
- Date
- Thread