[OpenAFS] AIX 5.3 and aklog_dynamic_auth fail
Mike Garrison
mcgarr@umich.edu
Fri, 19 Jun 2009 13:55:45 -0400
On Jun 19, 2009, at 5:17 AM, Remi Ferrand wrote:
> However I still have the same error when an ssh connection is tried :
>
> (from AFS AIX client machine)
> Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
> loaded: uid 0 pag -1
> Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
> starting: user testkrb5 uid 0
> Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM
> aklog: get_credv5 returns -1765328352
> Jun 19 11:09:59 ccdvrs03 auth|security:info sshd[385070]: Failed
> password for USERTEST from 134.158.71.108 port 48307 ssh2
> Jun 19 11:09:59 ccdvrs03 auth|security:info syslog: ssh: failed login
> attempt for USERTEST from YYYY.YYYYY.fr
>
> (From my KDCs logs)
> Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1
> etypes
> {1}) 134.158.105.107: PROCESS_TGS: authtime 0, <unknown client> for
> afs/test.in2p3.fr@TEST.IN2P3.FR, Ticket expired
> Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1
> etypes
> {1}) 134.158.105.107: PROCESS_TGS: authtime 0, <unknown client> for
> afs/test.in2p3.fr@TEST.IN2P3.FR, Ticket expired
If those are the matching log entries, I'd suggest checking the clock
on both machines.. 11:09:59 vs 11:14:29 is enough of a time difference
to cause issues.
If I set my clock to be 4m 30s behind, I get 'ticket expired' versus
'clock skew too great'.
--
Mike Garrison