Failed KDC as a result of Squid. - Kerberos

This is a discussion on Failed KDC as a result of Squid. - Kerberos ; I recently added a Squid server to my network, and for some reason, my KDC is on the fritz. Here are some errors. kprop: Decrypt integrity check failed while getting initial ticket This happens while attempting to propogate to a ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Failed KDC as a result of Squid.

  1. Failed KDC as a result of Squid.

    I recently added a Squid server to my network, and for some reason, my
    KDC is on the fritz.

    Here are some errors.
    kprop: Decrypt integrity check failed while getting initial ticket
    This happens while attempting to propogate to a slave KDC

    >From SSH Client: debug1: Miscellaneous failure

    Generic error (see e-text)

    This error appears on client SSH machines

    Postponed gssapi-with-mic for masterz from 127.0.0.1 port 52370 ssh2
    debug1: Miscellaneous failure
    Key version number for principal in key table is incorrect

    This error is produced on SSH servers.

    Aug 31 10:41:11 kurama smbd[3211]: [2006/08/31 10:41:11, 0] lib/fault.c:fault_report(36)
    Aug 31 10:41:11 kurama smbd[3211]: ================================================== =============
    Aug 31 10:41:11 kurama smbd[3211]: [2006/08/31 10:41:11, 0] lib/fault.c:fault_report(37)
    Aug 31 10:41:11 kurama smbd[3211]: INTERNAL ERROR: Signal 11 in pid 3211 (3.0.20)
    Aug 31 10:41:11 kurama smbd[3211]: Please read the appendix Bugs of the Samba HOWTO collection
    Aug 31 10:41:11 kurama smbd[3211]: [2006/08/31 10:41:11, 0] lib/fault.c:fault_report(39)
    Aug 31 10:41:11 kurama smbd[3211]: ================================================== =============
    Aug 31 10:41:11 kurama smbd[3211]: [2006/08/31 10:41:11, 0] lib/util.c:smb_panic2(1548)
    Aug 31 10:41:11 kurama smbd[3211]: PANIC: internal error
    Aug 31 10:41:11 kurama smbd[3211]: [2006/08/31 10:41:11, 0] lib/util.c:smb_panic2(1556)
    Aug 31 10:41:11 kurama smbd[3211]: BACKTRACE: 20 stack frames:
    Aug 31 10:41:11 kurama smbd[3211]: #0 smbd(smb_panic2+0x1ac) [0x801d8710]
    Aug 31 10:41:11 kurama smbd[3211]: #1 smbd(smb_panic+0x25) [0x801d855e]
    Aug 31 10:41:11 kurama smbd[3211]: #2 smbd [0x801c34ff]
    Aug 31 10:41:11 kurama smbd[3211]: #3 smbd [0x801c3572]
    Aug 31 10:41:11 kurama smbd[3211]: #4 [0xffffe420]
    Aug 31 10:41:11 kurama smbd[3211]: #5 /usr/lib/libkrb5.so.3(krb5_ktfile_get_next+0xc0) [0xb7efd653]
    Aug 31 10:41:11 kurama smbd[3211]: #6 /usr/lib/libkrb5.so.3(krb5_kt_next_entry+0x37) [0xb7efc333]
    Aug 31 10:41:11 kurama smbd[3211]: #7 smbd [0x8025537f]
    Aug 31 10:41:11 kurama smbd[3211]: #8 smbd(ads_verify_ticket+0x460) [0x80255d6f]
    Aug 31 10:41:11 kurama smbd[3211]: #9 smbd [0x800777a0]
    Aug 31 10:41:11 kurama smbd[3211]: #10 smbd [0x800785a0]
    Aug 31 10:41:11 kurama smbd[3211]: #11 smbd [0x80078cfb]
    Aug 31 10:41:11 kurama smbd[3211]: #12 smbd(reply_sesssetup_and_X+0x1c0) [0x8007916c]
    Aug 31 10:41:11 kurama smbd[3211]: #13 smbd [0x800a4ca4]
    Aug 31 10:41:11 kurama smbd[3211]: #14 smbd [0x800a4d6a]
    Aug 31 10:41:11 kurama smbd[3211]: #15 smbd(process_smb+0x1f5) [0x800a50ea]
    Aug 31 10:41:11 kurama smbd[3211]: #16 smbd(smbd_process+0x174) [0x800a5e9b]
    Aug 31 10:41:11 kurama smbd[3211]: #17 smbd(main+0x852) [0x80263a94]
    Aug 31 10:41:11 kurama smbd[3211]: #18 /lib/tls/libc.so.6(__libc_start_main+0xd0) [0xb7ba2e40]
    Aug 31 10:41:11 kurama smbd[3211]: #19 smbd [0x8003c231]

    Samba servers produce all this.


    Apache mod_auth_kerb also fails.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Failed KDC as a result of Squid.

    On Aug 31, 2006, at 14:56, Evan Vittitow wrote:
    > I recently added a Squid server to my network, and for some reason, my
    > KDC is on the fritz.


    Did you maybe change the network configuration to force all web
    traffic to be re-routed through squid?
    And maybe use port 88 instead of (or in addition to) port 80 in the
    change?
    Or do you carry Kerberos traffic or port 80?

    > Here are some errors.
    > kprop: Decrypt integrity check failed while getting initial ticket
    > This happens while attempting to propogate to a slave KDC


    This should have nothing to do with http or port 80, unless there's
    something strange in your setup. Likewise with the ssh and samba
    problems.

    Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread