<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/15/2013 10:06 AM, Dale Macartney wrote: > > > On 03/15/2013 10:03 AM, Dale Macartney wrote: > > > > On 03/15/2013 09:52 AM, Sumit Bose wrote: > > > On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale Macartney wrote: > > >> > > > Morning all > > > > I have setup the domain trust set up and have errors when trying to map > > > groups from AD to IPA > > > > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012 > > > > When adding groups, I get the following. > > > > [root@ds01 ~]# ipa group-add --desc='Active Directory Domain Admins > > > external map' domain_admins_map --external > > > [root@ds01 ~]# ipa group-add-member domain_admins_map --external > > > 'NT\Domain Admins' > > > [member user]: > > > [member group]: > > > ipa: ERROR: cannot connect to > > > u'<a class="moz-txt-link-freetext" href="https://ds01.example.com/ipa/session/xml">https://ds01.example.com/ipa/session/xml</a>': Internal Server Error > > > [root@ds01 ~]# > > > > When the above error occurs I see the following in /var/log/httpd/error_log > > > > ==> /var/log/httpd/error_log <== > > > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR: release_ipa_ccache: > > > ccache_name (<a class="moz-txt-link-freetext" href="FILE:/var/run/ipa_memcached/krbcc_5374">FILE:/var/run/ipa_memcached/krbcc_5374</a>) != KRB5CCNAME > > > environment variable (/var/run/ipa_memcached/krbcc_TDN) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] mod_wsgi > > > (pid=5374): Exception occurred processing WSGI script > > > '/usr/share/ipa/wsgi.py'. > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] Traceback (most > > > recent call last): > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/share/ipa/wsgi.py", line 49, in application > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > > api.Backend.wsgi_dispatch(environ, start_response) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 248, in > > > __call__ > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > > self.route(environ, start_response) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 260, in > > > route > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > > app(environ, start_response) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 1193, in > > > __call__ > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > > > super(xmlserver_session, self).__call__(environ, start_response) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 709, in > > > __call__ > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > > > super(xmlserver, self).__call__(environ, start_response) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 375, in > > > __call__ > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] response = > > > self.wsgi_execute(environ) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line 334, in > > > wsgi_execute > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = > > > self.Command[name](*args, **options) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in __call__ > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] ret = > > > self.run(*args, **options) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747, in run > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > > self.execute(*args, **options) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py", line > > > 1590, in execute > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] **options) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line 387, in > > > post_callback > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] actual_sid = > > > domain_validator.get_sid_trusted_domain_object(sid) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212, in > > > get_sid_trusted_domain_object > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = > > > self.resolve_against_gc(domain, components['name']) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285, in > > > resolve_against_gc > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] entry = > > > self.__resolve_against_gc(info, host, port, name) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315, in > > > __resolve_against_gc > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] > > > conn.sasl_interactive_bind_s(None, sasl_auth) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 566, > > > in sasl_interactive_bind_s > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > > self.conn.sasl_interactive_bind_s(who, auth, serverctrls, clientctrls, > > > sasl_flags) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227, in > > > sasl_interactive_bind_s > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] return > > > self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] File > > > "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in > > > _ldap_call > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] result = > > > func(*args,**kwargs) > > > [Fri Mar 15 09:35:15 2013] [error] [client 10.0.1.11] LOCAL_ERROR: > > > {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS > > > failure. Minor code may provide more information (Server > > > <a class="moz-txt-link-abbreviated" href="mailto:ldap/dc01.nt.example.com@EXAMPLE.COM">ldap/dc01.nt.example.com@EXAMPLE.COM</a> not found in Kerberos database)', > > > 'desc': 'Local error'} > > > > > Lokks like your AD domain is DNS-wise a subdomain of the FreeIPA domain > > > > example.dom. Please try to add something like > > > > > .nt.example.com = NT.EXAMPLE.COM > > > > nt.example.com = NT.EXAMPLE.COM > > > > > to the [domain_realm] section in /etc/krb5.conf. SSSD should have > > > > created an include file with this information, but due to some errors it > > > > is not read in the 6.4 version. > > > > > HTH > > > > > bye, > > > > Sumit > > No joy unfortunately mate. I tried adding it to both the ipa server and the member server but still no change. logs are still appearing as before. > > > Dale > Looks like I spoke to soon. I tried again about 10 seconds later and now it works. > > Thanks for the suggestion :-) > > > > > > Just to clarify, iptables has been flushed and selinux is currently > > > permissive. Running latest patches from RHN as of 2013/03/14 > > > > Any thoughts? > > > > Dale > > > >> > > >> _______________________________________________ > > >> Freeipa-users mailing list > > >> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > > >> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > > Now for the next round of logs I have the environment set up as follows IPA Domain: example.com IPA server: ds01.example.com/10.0.1.11 Squid Proxy: proxy.example.com (set up according to <a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2012/07/05/squid-proxy-integration-with-freeipa-authenticated-users-with-kerberos-single-sign-on/">https://www.dalemacartney.com/2012/07/05/squid-proxy-integration-with-freeipa-authenticated-users-with-kerberos-single-sign-on/</a>) Postfix Server: mail.example.com (set up according to <a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/">https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/</a>) AD Domain: nt.example.com Domain Controller: ds01.example.com/10.0.2.11 Workstation: workstation01.nt.example.com (Win7) RHEL member server: member01.nt.example.com (set up according to <a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2012/07/06/how-to-quickly-and-easily-add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory/">https://www.dalemacartney.com/2012/07/06/how-to-quickly-and-easily-add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory/</a>) The trust is setup. The domain admins group is mapped successfully to IPA... HBAC rules of IPA are as follows [root@ds01 ~]# ipa hbacrule-find - ------------------- 1 HBAC rule matched - ------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE - ---------------------------- Number of entries returned 1 - ---------------------------- [root@ds01 ~]# When I ssh from member01.nt.example.com (logged in as the domain administrator), the below logs appear in the /var/log/krb5kdc.log Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info mismatch: domain = nt.example.com, expected domain SID = S-1-5-21-2880953931-2806133027-2380768902, found domain SID = S-1-5-21-195870719-1427277748-2096390971 Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb) handling failure: Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ : handle_authdata (22) Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info mismatch: domain = nt.example.com, expected domain SID = S-1-5-21-2880953931-2806133027-2380768902, found domain SID = S-1-5-21-195870719-1427277748-2096390971 Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb) handling failure: Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ : handle_authdata (22) Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info mismatch: domain = nt.example.com, expected domain SID = S-1-5-21-2880953931-2806133027-2380768902, found domain SID = S-1-5-21-195870719-1427277748-2096390971 Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb) handling failure: Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ : handle_authdata (22) Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info mismatch: domain = nt.example.com, expected domain SID = S-1-5-21-2880953931-2806133027-2380768902, found domain SID = S-1-5-21-195870719-1427277748-2096390971 Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb) handling failure: Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ : handle_authdata (22) Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info mismatch: domain = nt.example.com, expected domain SID = S-1-5-21-2880953931-2806133027-2380768902, found domain SID = S-1-5-21-195870719-1427277748-2096390971 Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb) handling failure: Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ : handle_authdata (22) Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info mismatch: domain = nt.example.com, expected domain SID = S-1-5-21-2880953931-2806133027-2380768902, found domain SID = S-1-5-21-195870719-1427277748-2096390971 Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb) handling failure: Invalid argument Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ : handle_authdata (22) Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4 etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime 1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for <a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument Domain administrators ticket lis is as follows [administrator@member01 ~]$ klist Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_10000500_dPQPno">FILE:/tmp/krb5cc_10000500_dPQPno</a> Default principal: <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> Valid starting Expires Service principal 03/15/13 12:49:34 03/15/13 22:49:36 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/NT.EXAMPLE.COM@NT.EXAMPLE.COM">krbtgt/NT.EXAMPLE.COM@NT.EXAMPLE.COM</a> renew until 03/22/13 12:49:34 03/15/13 12:49:55 03/15/13 22:49:36 <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@NT.EXAMPLE.COM">krbtgt/EXAMPLE.COM@NT.EXAMPLE.COM</a> renew until 03/22/13 12:49:34 [administrator@member01 ~]$ and ssh command returns the below when running in verbose [administrator@member01 ~]$ ssh -l <a class="moz-txt-link-abbreviated" href="mailto:administrator@nt.example.com">administrator@nt.example.com</a> proxy.example.com -vvv OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to proxy.example.com [10.0.1.22] port 22. debug1: Connection established. debug1: identity file /home/administrator/.ssh/identity type -1 debug1: identity file /home/administrator/.ssh/id_rsa type -1 debug1: identity file /home/administrator/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a> debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com,zlib">zlib@openssh.com,zlib</a> debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com,zlib">zlib@openssh.com,zlib</a> debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a> debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com">zlib@openssh.com</a> debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com">zlib@openssh.com</a> debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 141/256 debug2: bits set: 525/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /home/administrator/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /home/administrator/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'proxy.example.com' is known and matches the RSA host key. debug1: Found key in /home/administrator/.ssh/known_hosts:1 debug2: bits set: 531/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/administrator/.ssh/identity ((nil)) debug2: key: /home/administrator/.ssh/id_rsa ((nil)) debug2: key: /home/administrator/.ssh/id_dsa ((nil)) debug3: Wrote 96 bytes for a total of 1141 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug3: Trying to reverse map address 10.0.1.22. debug1: Unspecified GSS failure. Minor code may provide more information KDC returned error string: HANDLE_AUTHDATA debug1: Unspecified GSS failure. Minor code may provide more information KDC returned error string: HANDLE_AUTHDATA debug1: Unspecified GSS failure. Minor code may provide more information debug2: we sent a gssapi-with-mic packet, wait for reply debug3: Wrote 112 bytes for a total of 1253 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/administrator/.ssh/identity debug3: no such identity: /home/administrator/.ssh/identity debug1: Trying private key: /home/administrator/.ssh/id_rsa debug3: no such identity: /home/administrator/.ssh/id_rsa debug1: Trying private key: /home/administrator/.ssh/id_dsa debug3: no such identity: /home/administrator/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password <a class="moz-txt-link-abbreviated" href="mailto:administrator@nt.example.com@proxy.example.com">administrator@nt.example.com@proxy.example.com</a>'s password: Any ideas what KDC returned error string: HANDLE_AUTHDATA means? Dale -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a> iQIcBAEBAgAGBQJRQxtIAAoJEAJsWS61tB+qFBQP/3oUydnPGv1mS18yEsebruhR LG/Pwzsx9N5hIu/0amsToI6qrhSvwJbRp5ER4f+emxx9Jg1dBl5h4MxBkXIx33CE uoNifk8b80G3aFcS+j255oNPBLAjisC87fdsfPz0g72wLtmSSC5DuTwGSzF98QS1 H2y4MOytLvDP0HKJ+PNtdXNf6t+s5IRgPJnhzjvkS43TjFO1Z0kNqBgwWa7L7588 7xWd3SFZga3FUmTjrovhm5NKjg5Y32S56NzjC3FOWw06sUDRvISCEb0eZk+cbSWw EE2/icNepyharbNOSCSmveFa+ostSwIA0pkr5Kie4xsRipfaq9J+ZCcBFb363VB+ oa2/W9G5eBLGDr3JXHSg2vvlHdzMjazrOQN3XM58Aehym8hyEXdmanKPlq1Rz3zx /ncpF4EM0h9Y/gG1yBvhPFDlsHFXnFQZh2EhI+G30gVrzSxAYjlN3ZEiiF33afcQ 9yBM1LJTX77zf06b4/IXMuhFJclx5kpqf1h3QgMKGnC+2Gawd8jU90JdawOaFykJ u4CWk+br8uVjS4KPXV0XIAGIM5D/yF0zWFydNyvTlna4cZ13LUO8biaQjatg028E pk6GPFNlxPSiBFlx0zLofQFGa4IxPx9rDW2VRVrgSs+n3G8OyO+t0wlM0o2TJp/X /bj0xc33I2KTYUtUbY4L =UFDR -----END PGP SIGNATURE----- </body> </html>