[OpenAFS-devel] Re: Need an idea on a pam-problem

[Andrew Deason]

On Thu, 11 Jul 2013 17:07:02 +0200
Mathias Feiler <feiler@uni-hohenheim.de> wrote:

> Well, I can kinit w/o any trouble and even get my AFS-token
> thus I expect heimdal itself to be some how ok.

It sounds like AFS itself is probably ok, too, then :)

> I have actually no idea what the term
>    "credential verification failed: encryption key has bad length"
> wants to tell me , nor where to look for some causing oddities.

That seems more like an internal error than anything you did wrong. I
assume it has to do with an encryption key being a different length than
the encryption type says it should be.

The reason why pam_krb5 is probably failing but 'kinit' is not, is
because I think pam_krb5 implementations generally do an additional
verification step against the host/* keytab (so you can't break in by
faking a KDC response).

> Does anyone else got an Idea?  Any hint is very welcome.

I don't think this has anything to do with AFS; it's failing on the
pam_krb5 invocation before we get to anything AFS-related. I would ask
on a Heimdal or Kerberos list for help. This list is for development of
OpenAFS.

But if you want some guesses from me, you could using a different
pam_krb5 (such as libpam-krb5). Or, you could try re-extracting the
host/* principals in your /etc/krb5.keytab. Those are just guesses,
though, and you would get better answers on a Kerberos-related list.

-- 
Andrew Deason
adeason@sinenomine.net