Another Kerberos puzzl
Andrew Bartlett
abartlet at samba.org
Tue Sep 14 23:52:44 MDT 2010
On Tue, 2010-09-14 at 13:55 -0700, Volker Lendecke wrote:
> Hi, Andrew!
>
> Another one: IE8 running on XP in a S4 domain, ADS mode. It
> is trying sso against apache 2 on FreeBSD running mod_auth_ntlm_winbind
> talking to ntlm_auth using the gss-spnego helper protocol.
Ouch, that's a rarely used codepath. I'll try and take a look at it
soon.
> When trying to do that, I get:
>
> [2010/09/14 15:39:13.030472, 3, pid=2770] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
> libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Unknown error: 1859794434
>
> Günther kindly figured out for me that 1859794434 is
>
> krb5-1.8.2/include/krb5/krb5.h:#define ASN1_MISPLACED_FIELD (1859794434L)
> heimdal-1.3.3/include/asn1_err.h: ASN1_MISPLACED_FIELD = 1859794434
>
>
> [root at freebsd /usr/lib]# kinit --version
> kinit (Heimdal 1.1.0)
>
> That's the apache host.
>
> Trying to join native W2k8 next.
>
> dc.cap is the traffic XP<->S4, wwwauth.cap is the traffic
> IE<->FreeBSD.
Thanks for that.
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100915/e0dad844/attachment.pgp>
More information about the samba-technical
mailing list