Re: [modauthkerb] Intermittent SPNEGO failure
Brought to you by:
kouril
From: Douglas E. E. <dee...@an...> - 2006-02-23 17:14:38
|
JOHNSON, ANDREW S [AG/1560] wrote: > I could easily belive that there is some sort of replication > or caching problem, but proving it could be another matter. > We have DC's all over North America so finding the bad one > would present quite a challenge. When I created the keytab, > I used +rndpass. I don't think it is the password per se, > or it wouldn't have ever worked. When I did the user "bounce", > I deleted the account on Friday, and didn't recreate it until > Monday just for the replication / caching concerns above. > A replication / caching problem would help explain the original > problem as well, but for now it seems that I am where I started. > > Is there any other place I can trace what is going on? Your AD admins could use the Microsoft dcdiag or repadmin commands to check up on the DCs, and their replication. (Google for these separately.) You as the account admin could also use mmc with the ADSI edit plugin to look at specific AD account entries. Then click on the properties of the account and look for ms-DS-KeyVersionNumber to see what AD has. (Actually the version as seen by the AD controller ADSI selected. You can pick a different one by right clicking in the ADSI Edit and using the connect to...) You can also look at some of the times in the entries too. You can use the MIT kvno program to get a service ticket and look at it. With a custom krb5.conf you could force it to look at a specific KDC. You will have to delete the cache or delete the ticket after each test. > > Thanks, > > Andy Johnson > > -----Original Message----- > From: Jari Ahonen [mailto:ja...@pr...] > Sent: Thursday, February 23, 2006 9:27 AM > To: JOHNSON, ANDREW S [AG/1560]; mod...@li... > Subject: RE: [modauthkerb] Intermittent SPNEGO failure > > > >>gss_accept_sec_context() failed: Miscellaneous failure >>(see text) (Decrypt integrity check failed) > > > I believe this is the result of mismatched passwords (keys) in > the AD user account and the keytab. In fact the error just means > that the token could not be decrypted with the key in keytab. > > Is there a possibility that AD has not properly replicated the > changes you have done ? Or something somewhere caching the old > credentials ? > > - Jari > > --------------------------------------------------------------------------------------------------------- > This e-mail message may contain privileged and/or confidential information, and is intended to be received only by persons entitled to receive such information. If you have received this e-mail in error, please notify the sender immediately. Please delete it and all attachments from any servers, hard drives or any other media. Other use of this e-mail by you is strictly prohibited. > > > All e-mails and attachments sent and received are subject to monitoring, reading and archival by Monsanto. The recipient of this e-mail is solely responsible for checking for the presence of "Viruses" or other "Malware". Monsanto accepts no liability for any damage caused by any such code transmitted by or accompanying this e-mail or any attachment. > --------------------------------------------------------------------------------------------------------- > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |