Re: "shishi user SERVICE" borked?

[Simon Josefsson]

Elrond <address@hidden> writes:

> Okay, this gets weird.
>
> Base result: shishi works.
>
>
> For the fun / which starts to confuse me:
>
> heimdal:
>     I have service accounts in my heimdal-kdc that work,
>     and I have ones, that don't. I can't really see the
>     difference.  Even doing a "cpw -r broken/service"
>     (which makes new keys), doesn't help those services.
>     Newly created principals usually work.

What's the error in the KDC log?

Can you re-try the same query a few times?  I recall problems with
negative ASN.1 integers in some field that contain random data.
Sometimes the random data result in a negative ASN.1 integer, and
there was some problem in handling them.  If the same request works
only sometimes, then this may be the cause.

> w2k3:
>     clock skew:
>       If the w2k3-box is 21seconds ahead of my local box,
>       I get some "generic error" as TGT time.
>       If my local box is about a minute ahead, I can at
>       least get a TGT.
>     service tickets:
>       Do not work.
>
>
> What would help you next? For the w2k3-kdc, I can do nearly
> everything, including sending you -v*4 and network
> captures. For the heimdal one, I have to see (it's half
> toy, half real.)

Let's start with the w2k3-kdc -v -v -v -v logs for a working TGT
request, and then one for a service ticket that fails.  Run 'shishi
-d' before, to make sure there aren't any old tickets around.

Thanks!