SLES8, heimdal: "KDC policy rejects request"
Hello,
after the latest security update for heimdal (heimdal-0.4e-401) on an SLES
8 server, pam_krb5 (and, for that matter, all gssapi-based services)
stopped working throughouht the kerberos realm; reverting back to an older
version of heimdal makes the problem go away
Symptoms:
- it is still possible to get tgt tickets (e.g. using kinit)
- it *appears* to be not possible to get any service tickets at all
relevant log generated from pam_krb5:
Aug 9 13:19:13 f100 sshd[7120]: (pam_krb5) pam_krb5_verify_tgt:
krb5_mk_req: KDC policy rejects request
Aug 9 13:19:13 f100 sshd[7120]: (pam_krb5) pam_krb5_verify_tgt:
Authentication failure
The same message ("KDC policy rejects request") is logged in the kdc log;
it is also logged for any attempt to use services via GSSAPI (e.g. LDAP)
I found a posting on the web that seems related (bottom of the page):
http://www.emsl.pnl.gov/ops/comphelp/ssh/faq.html
It hints that this may have something to do with the "renewable" flag of
host and service principals; can anyone explain to me what this means, why
this change of behaviour in heimdal was necessary, and what I should do? I
can find no mention of "renewable" in the heimdal docs, or how to
configure it
Best regards
--
Helge Bahmann
participants (1)
-
Helge Bahmann