<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
On 03/15/2013 10:06 AM, Dale Macartney wrote:<br>
<span style="white-space: pre;">><br>
><br>
> On 03/15/2013 10:03 AM, Dale Macartney wrote:<br>
><br>
><br>
> > On 03/15/2013 09:52 AM, Sumit Bose wrote:<br>
> > > On Fri, Mar 15, 2013 at 09:38:04AM +0000, Dale
Macartney wrote:<br>
> > >><br>
> > > Morning all<br>
><br>
> > > I have setup the domain trust set up and have
errors when trying to map<br>
> > > groups from AD to IPA<br>
><br>
> > > Environment is IPA 3.0 on RHEL 6.4 and Windows 2012<br>
><br>
> > > When adding groups, I get the following.<br>
><br>
> > > [root@ds01 ~]# ipa group-add --desc='Active
Directory Domain Admins<br>
> > > external map' domain_admins_map --external<br>
> > > [root@ds01 ~]# ipa group-add-member
domain_admins_map --external<br>
> > > 'NT\Domain Admins'<br>
> > > [member user]:<br>
> > > [member group]:<br>
> > > ipa: ERROR: cannot connect to<br>
> > > u'<a class="moz-txt-link-freetext" href="https://ds01.example.com/ipa/session/xml">https://ds01.example.com/ipa/session/xml</a>':
Internal Server Error<br>
> > > [root@ds01 ~]#<br>
><br>
> > > When the above error occurs I see the following in
/var/log/httpd/error_log<br>
><br>
> > > ==> /var/log/httpd/error_log <==<br>
> > > [Fri Mar 15 09:35:15 2013] [error] ipa: ERROR:
release_ipa_ccache:<br>
> > > ccache_name
(<a class="moz-txt-link-freetext" href="FILE:/var/run/ipa_memcached/krbcc_5374">FILE:/var/run/ipa_memcached/krbcc_5374</a>) != KRB5CCNAME<br>
> > > environment variable
(/var/run/ipa_memcached/krbcc_TDN)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] mod_wsgi<br>
> > > (pid=5374): Exception occurred processing WSGI
script<br>
> > > '/usr/share/ipa/wsgi.py'.<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] Traceback (most<br>
> > > recent call last):<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > > "/usr/share/ipa/wsgi.py", line 49, in application<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] return<br>
> > > api.Backend.wsgi_dispatch(environ, start_response)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
248, in<br>
> > > __call__<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] return<br>
> > > self.route(environ, start_response)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
260, in<br>
> > > route<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] return<br>
> > > app(environ, start_response)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
1193, in<br>
> > > __call__<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] response =<br>
> > > super(xmlserver_session, self).__call__(environ,
start_response)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
709, in<br>
> > > __call__<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] response =<br>
> > > super(xmlserver, self).__call__(environ,
start_response)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
375, in<br>
> > > __call__<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] response =<br>
> > > self.wsgi_execute(environ)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/rpcserver.py", line
334, in<br>
> > > wsgi_execute<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] result =<br>
> > > self.Command[name](*args, **options)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435,
in __call__<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] ret =<br>
> > > self.run(*args, **options)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 747,
in run<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] return<br>
> > > self.execute(*args, **options)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py",
line<br>
> > > 1590, in execute<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] **options)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipalib/plugins/group.py", line
387, in<br>
> > > post_callback<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] actual_sid =<br>
> > > domain_validator.get_sid_trusted_domain_object(sid)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 212,
in<br>
> > > get_sid_trusted_domain_object<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] entry =<br>
> > > self.resolve_against_gc(domain, components['name'])<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 285,
in<br>
> > > resolve_against_gc<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] entry =<br>
> > > self.__resolve_against_gc(info, host, port, name)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/dcerpc.py", line 315,
in<br>
> > > __resolve_against_gc<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11]<br>
> > > conn.sasl_interactive_bind_s(None, sasl_auth)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py",
line 566,<br>
> > > in sasl_interactive_bind_s<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] return<br>
> > > self.conn.sasl_interactive_bind_s(who, auth,
serverctrls, clientctrls,<br>
> > > sasl_flags)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 227,
in<br>
> > > sasl_interactive_bind_s<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] return<br>
> > >
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] File<br>
> > >
"/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96,
in<br>
> > > _ldap_call<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] result =<br>
> > > func(*args,**kwargs)<br>
> > > [Fri Mar 15 09:35:15 2013] [error] [client
10.0.1.11] LOCAL_ERROR:<br>
> > > {'info': 'SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS<br>
> > > failure. Minor code may provide more information
(Server<br>
> > > <a class="moz-txt-link-abbreviated" href="mailto:ldap/dc01.nt.example.com@EXAMPLE.COM">ldap/dc01.nt.example.com@EXAMPLE.COM</a> not found in
Kerberos database)',<br>
> > > 'desc': 'Local error'}<br>
><br>
> > > > Lokks like your AD domain is DNS-wise a
subdomain of the FreeIPA domain<br>
> > > > example.dom. Please try to add something like<br>
><br>
> > > > .nt.example.com = NT.EXAMPLE.COM<br>
> > > > nt.example.com = NT.EXAMPLE.COM<br>
><br>
> > > > to the [domain_realm] section in
/etc/krb5.conf. SSSD should have<br>
> > > > created an include file with this information,
but due to some errors it<br>
> > > > is not read in the 6.4 version.<br>
><br>
> > > > HTH<br>
><br>
> > > > bye,<br>
> > > > Sumit<br>
> > No joy unfortunately mate. I tried adding it to both the
ipa server and the member server but still no change. logs are
still appearing as before.<br>
><br>
> > Dale<br>
> Looks like I spoke to soon. I tried again about 10 seconds
later and now it works.<br>
><br>
> Thanks for the suggestion :-)<br>
><br>
><br>
><br>
> > > Just to clarify, iptables has been flushed and
selinux is currently<br>
> > > permissive. Running latest patches from RHN as of
2013/03/14<br>
><br>
> > > Any thoughts?<br>
><br>
> > > Dale<br>
><br>
> > >><br>
> > >> _______________________________________________<br>
> > >> Freeipa-users mailing list<br>
> > >> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> > >>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
><br>
></span><br>
<br>
<br>
Now for the next round of logs<br>
<br>
I have the environment set up as follows<br>
<br>
IPA Domain: example.com<br>
IPA server: ds01.example.com/10.0.1.11<br>
Squid Proxy: proxy.example.com (set up according to
<a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2012/07/05/squid-proxy-integration-with-freeipa-authenticated-users-with-kerberos-single-sign-on/">https://www.dalemacartney.com/2012/07/05/squid-proxy-integration-with-freeipa-authenticated-users-with-kerberos-single-sign-on/</a>)<br>
Postfix Server: mail.example.com (set up according to
<a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/">https://www.dalemacartney.com/2013/03/14/deploying-postfix-with-ldap-freeipa-virtual-aliases-and-kerberos-authentication/</a>)<br>
<br>
AD Domain: nt.example.com<br>
Domain Controller: ds01.example.com/10.0.2.11<br>
Workstation: workstation01.nt.example.com (Win7)<br>
RHEL member server: member01.nt.example.com (set up according to
<a class="moz-txt-link-freetext" href="https://www.dalemacartney.com/2012/07/06/how-to-quickly-and-easily-add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory/">https://www.dalemacartney.com/2012/07/06/how-to-quickly-and-easily-add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory/</a>)<br>
<br>
The trust is setup. The domain admins group is mapped successfully
to IPA...<br>
<br>
HBAC rules of IPA are as follows<br>
<br>
[root@ds01 ~]# ipa hbacrule-find<br>
- -------------------<br>
1 HBAC rule matched<br>
- -------------------<br>
Rule name: allow_all<br>
User category: all<br>
Host category: all<br>
Source host category: all<br>
Service category: all<br>
Description: Allow all users to access any host from any host<br>
Enabled: TRUE<br>
- ----------------------------<br>
Number of entries returned 1<br>
- ----------------------------<br>
[root@ds01 ~]#<br>
<br>
<br>
<br>
When I ssh from member01.nt.example.com (logged in as the domain
administrator), the below logs appear in the /var/log/krb5kdc.log<br>
<br>
<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4
etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime
1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4
etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime
1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4
etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime
1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4
etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime
1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4
etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime
1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](Error): PAC Info
mismatch: domain = nt.example.com, expected domain SID =
S-1-5-21-2880953931-2806133027-2380768902, found domain SID =
S-1-5-21-195870719-1427277748-2096390971<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): authdata (kdb)
handling failure: Invalid argument<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ :
handle_authdata (22)<br>
Mar 15 12:51:39 ds01.example.com krb5kdc[5224](info): TGS_REQ (4
etypes {18 17 16 23}) 10.0.1.254: HANDLE_AUTHDATA: authtime
1363351776, <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a> for
<a class="moz-txt-link-abbreviated" href="mailto:host/proxy.example.com@EXAMPLE.COM">host/proxy.example.com@EXAMPLE.COM</a>, Invalid argument<br>
<br>
<br>
Domain administrators ticket lis is as follows<br>
<br>
[administrator@member01 ~]$ klist<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_10000500_dPQPno">FILE:/tmp/krb5cc_10000500_dPQPno</a><br>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:administrator@NT.EXAMPLE.COM">administrator@NT.EXAMPLE.COM</a><br>
<br>
Valid starting Expires Service principal<br>
03/15/13 12:49:34 03/15/13 22:49:36
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/NT.EXAMPLE.COM@NT.EXAMPLE.COM">krbtgt/NT.EXAMPLE.COM@NT.EXAMPLE.COM</a><br>
renew until 03/22/13 12:49:34<br>
03/15/13 12:49:55 03/15/13 22:49:36
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/EXAMPLE.COM@NT.EXAMPLE.COM">krbtgt/EXAMPLE.COM@NT.EXAMPLE.COM</a><br>
renew until 03/22/13 12:49:34<br>
[administrator@member01 ~]$<br>
<br>
and ssh command returns the below when running in verbose<br>
<br>
[administrator@member01 ~]$ ssh -l <a class="moz-txt-link-abbreviated" href="mailto:administrator@nt.example.com">administrator@nt.example.com</a>
proxy.example.com -vvv<br>
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010<br>
debug1: Reading configuration data /etc/ssh/ssh_config<br>
debug1: Applying options for *<br>
debug2: ssh_connect: needpriv 0<br>
debug1: Connecting to proxy.example.com [10.0.1.22] port 22.<br>
debug1: Connection established.<br>
debug1: identity file /home/administrator/.ssh/identity type -1<br>
debug1: identity file /home/administrator/.ssh/id_rsa type -1<br>
debug1: identity file /home/administrator/.ssh/id_dsa type -1<br>
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.3<br>
debug1: match: OpenSSH_5.3 pat OpenSSH*<br>
debug1: Enabling compatibility mode for protocol 2.0<br>
debug1: Local version string SSH-2.0-OpenSSH_5.3<br>
debug2: fd 4 setting O_NONBLOCK<br>
debug1: SSH2_MSG_KEXINIT sent<br>
debug3: Wrote 792 bytes for a total of 813<br>
debug1: SSH2_MSG_KEXINIT received<br>
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1<br>
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss<br>
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a><br>
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a><br>
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a><br>
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a><br>
debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com,zlib">zlib@openssh.com,zlib</a><br>
debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com,zlib">zlib@openssh.com,zlib</a><br>
debug2: kex_parse_kexinit:<br>
debug2: kex_parse_kexinit:<br>
debug2: kex_parse_kexinit: first_kex_follows 0<br>
debug2: kex_parse_kexinit: reserved 0<br>
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1<br>
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss<br>
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a><br>
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a class="moz-txt-link-abbreviated" href="mailto:rijndael-cbc@lysator.liu.se">rijndael-cbc@lysator.liu.se</a><br>
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a><br>
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,<a class="moz-txt-link-abbreviated" href="mailto:umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96">umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96</a><br>
debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com">zlib@openssh.com</a><br>
debug2: kex_parse_kexinit: none,<a class="moz-txt-link-abbreviated" href="mailto:zlib@openssh.com">zlib@openssh.com</a><br>
debug2: kex_parse_kexinit:<br>
debug2: kex_parse_kexinit:<br>
debug2: kex_parse_kexinit: first_kex_follows 0<br>
debug2: kex_parse_kexinit: reserved 0<br>
debug2: mac_setup: found hmac-md5<br>
debug1: kex: server->client aes128-ctr hmac-md5 none<br>
debug2: mac_setup: found hmac-md5<br>
debug1: kex: client->server aes128-ctr hmac-md5 none<br>
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent<br>
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP<br>
debug3: Wrote 24 bytes for a total of 837<br>
debug2: dh_gen_key: priv key bits set: 141/256<br>
debug2: bits set: 525/1024<br>
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent<br>
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY<br>
debug3: Wrote 144 bytes for a total of 981<br>
debug3: check_host_in_hostfile: filename
/home/administrator/.ssh/known_hosts<br>
debug3: check_host_in_hostfile: match line 1<br>
debug3: check_host_in_hostfile: filename
/home/administrator/.ssh/known_hosts<br>
debug3: check_host_in_hostfile: match line 1<br>
debug1: Host 'proxy.example.com' is known and matches the RSA host
key.<br>
debug1: Found key in /home/administrator/.ssh/known_hosts:1<br>
debug2: bits set: 531/1024<br>
debug1: ssh_rsa_verify: signature correct<br>
debug2: kex_derive_keys<br>
debug2: set_newkeys: mode 1<br>
debug1: SSH2_MSG_NEWKEYS sent<br>
debug1: expecting SSH2_MSG_NEWKEYS<br>
debug3: Wrote 16 bytes for a total of 997<br>
debug2: set_newkeys: mode 0<br>
debug1: SSH2_MSG_NEWKEYS received<br>
debug1: SSH2_MSG_SERVICE_REQUEST sent<br>
debug3: Wrote 48 bytes for a total of 1045<br>
debug2: service_accept: ssh-userauth<br>
debug1: SSH2_MSG_SERVICE_ACCEPT received<br>
debug2: key: /home/administrator/.ssh/identity ((nil))<br>
debug2: key: /home/administrator/.ssh/id_rsa ((nil))<br>
debug2: key: /home/administrator/.ssh/id_dsa ((nil))<br>
debug3: Wrote 96 bytes for a total of 1141<br>
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password<br>
debug3: start over, passed a different list
publickey,gssapi-keyex,gssapi-with-mic,password<br>
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password<br>
debug3: authmethod_lookup gssapi-keyex<br>
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password<br>
debug3: authmethod_is_enabled gssapi-keyex<br>
debug1: Next authentication method: gssapi-keyex<br>
debug1: No valid Key exchange context<br>
debug2: we did not send a packet, disable method<br>
debug3: authmethod_lookup gssapi-with-mic<br>
debug3: remaining preferred: publickey,keyboard-interactive,password<br>
debug3: authmethod_is_enabled gssapi-with-mic<br>
debug1: Next authentication method: gssapi-with-mic<br>
debug3: Trying to reverse map address 10.0.1.22.<br>
debug1: Unspecified GSS failure. Minor code may provide more
information<br>
KDC returned error string: HANDLE_AUTHDATA<br>
<br>
debug1: Unspecified GSS failure. Minor code may provide more
information<br>
KDC returned error string: HANDLE_AUTHDATA<br>
<br>
debug1: Unspecified GSS failure. Minor code may provide more
information<br>
<br>
<br>
debug2: we sent a gssapi-with-mic packet, wait for reply<br>
debug3: Wrote 112 bytes for a total of 1253<br>
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password<br>
debug2: we did not send a packet, disable method<br>
debug3: authmethod_lookup publickey<br>
debug3: remaining preferred: keyboard-interactive,password<br>
debug3: authmethod_is_enabled publickey<br>
debug1: Next authentication method: publickey<br>
debug1: Trying private key: /home/administrator/.ssh/identity<br>
debug3: no such identity: /home/administrator/.ssh/identity<br>
debug1: Trying private key: /home/administrator/.ssh/id_rsa<br>
debug3: no such identity: /home/administrator/.ssh/id_rsa<br>
debug1: Trying private key: /home/administrator/.ssh/id_dsa<br>
debug3: no such identity: /home/administrator/.ssh/id_dsa<br>
debug2: we did not send a packet, disable method<br>
debug3: authmethod_lookup password<br>
debug3: remaining preferred: ,password<br>
debug3: authmethod_is_enabled password<br>
debug1: Next authentication method: password<br>
<a class="moz-txt-link-abbreviated" href="mailto:administrator@nt.example.com@proxy.example.com">administrator@nt.example.com@proxy.example.com</a>'s password:<br>
<br>
<br>
Any ideas what KDC returned error string: HANDLE_AUTHDATA means?<br>
<br>
Dale<br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJRQxtIAAoJEAJsWS61tB+qFBQP/3oUydnPGv1mS18yEsebruhR<br>
LG/Pwzsx9N5hIu/0amsToI6qrhSvwJbRp5ER4f+emxx9Jg1dBl5h4MxBkXIx33CE<br>
uoNifk8b80G3aFcS+j255oNPBLAjisC87fdsfPz0g72wLtmSSC5DuTwGSzF98QS1<br>
H2y4MOytLvDP0HKJ+PNtdXNf6t+s5IRgPJnhzjvkS43TjFO1Z0kNqBgwWa7L7588<br>
7xWd3SFZga3FUmTjrovhm5NKjg5Y32S56NzjC3FOWw06sUDRvISCEb0eZk+cbSWw<br>
EE2/icNepyharbNOSCSmveFa+ostSwIA0pkr5Kie4xsRipfaq9J+ZCcBFb363VB+<br>
oa2/W9G5eBLGDr3JXHSg2vvlHdzMjazrOQN3XM58Aehym8hyEXdmanKPlq1Rz3zx<br>
/ncpF4EM0h9Y/gG1yBvhPFDlsHFXnFQZh2EhI+G30gVrzSxAYjlN3ZEiiF33afcQ<br>
9yBM1LJTX77zf06b4/IXMuhFJclx5kpqf1h3QgMKGnC+2Gawd8jU90JdawOaFykJ<br>
u4CWk+br8uVjS4KPXV0XIAGIM5D/yF0zWFydNyvTlna4cZ13LUO8biaQjatg028E<br>
pk6GPFNlxPSiBFlx0zLofQFGa4IxPx9rDW2VRVrgSs+n3G8OyO+t0wlM0o2TJp/X<br>
/bj0xc33I2KTYUtUbY4L<br>
=UFDR<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>