Re: "shishi user SERVICE" borked?

[Simon Josefsson]

Oops, I was able to reproduce this again.  The problem is that the
clock on your KDC is slightly ahead of the client's clock.  Try to run
ntp on it.

The details are that shishi send an AS-REQ, and receive a ticket that
isn't valid yet, and the logic then becomes confused and send a
TGS-REQ, which for some reason doesn't succeed.  Perhaps heimdal
checks whether the client's time is within the ticket lifetime, which
it wouldn't be.

I can reproduce this if I set the heimdal KDC clock 1 minute ahead.
Syncing both client and KDC clocks make it work again, and I can get a
service ticket.  Output against heimdal, with preauth working, below.

/Simon

address@hidden:~/src/shishi$ shishi -d;~/src/shishi/src/shishi address@hidden
2 tickets removed.
libshishi: warning: `/usr/local/etc/shishi/shishi.conf': No such file or 
directory
libshishi: warning: /usr/local/etc/shishi/shishi.conf: No such file or 
directoryEnter password for address@hidden':

address@hidden:
Authtime:       Sat Apr 22 11:10:00 2006
Endtime:        Sat Apr 22 19:09:58 2006
Server:         krbtgt/DOPIO.JOSEFSSON.ORG key aes256-cts-hmac-sha1-96 (18)
Ticket key:     aes256-cts-hmac-sha1-96 (18) protected by 
aes256-cts-hmac-sha1-96 (18)
Ticket flags:   INITIAL PREAUTHENT (1536)
address@hidden:~/src/shishi$ ~/src/shishi/src/shishi address@hidden host/latte
libshishi: warning: `/usr/local/etc/shishi/shishi.conf': No such file or 
directory
libshishi: warning: /usr/local/etc/shishi/shishi.conf: No such file or 
directorylibshishi: warning: KDC bug: Reply encrypted using wrong key.
address@hidden:
Authtime:       Sat Apr 22 11:10:00 2006
Starttime:      Sat Apr 22 11:10:03 2006
Endtime:        Sat Apr 22 19:09:58 2006
Server:         host/latte key aes256-cts-hmac-sha1-96 (18)
Ticket key:     aes256-cts-hmac-sha1-96 (18) protected by 
aes256-cts-hmac-sha1-96 (18)
Ticket flags:   PREAUTHENT TRANSITEDPOLICYCHECKED (5120)
address@hidden:~/src/shishi$