Failed to verify CMS message: bad signature

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Failed to verify CMS message: bad signature

Jarek 111
Hello!

        I've tried to migrate KDC (Debian 7) to new hardware with
Debian 9.
        We are using KDC with pkinit and smartcards.
        After fresh installation, I have copied /etc/krb5.conf,
/etc/krb5.keytab, /etc/krb5kdc and /var/lib/krb5kdc.
        All certificates are in /etc/krb5kdc.
        The new machine has the same name as old, only IP is different.
        kadmin lists all pricinpals, kdc and admin server are working.
       
        kinit from remote machine fails, on KDC in authlog we have
message: 

PREAUTH_FAILED: Failed to verify CMS message: bad signature

What can be wrong ?

Best regards
Jarek
       
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Failed to verify CMS message: bad signature

Todd Grayson
The discussions I've seen where this is done successfully use tar to grab
all the files (do an ls -la in the kdc path to see what you missed) along
with the krb5.conf.  I believe you are missing important file(s) based on
what you listed.

On Wed, Feb 26, 2020, 7:31 AM jarek <[hidden email]> wrote:

> Hello!
>
>         I've tried to migrate KDC (Debian 7) to new hardware with
> Debian 9.
>         We are using KDC with pkinit and smartcards.
>         After fresh installation, I have copied /etc/krb5.conf,
> /etc/krb5.keytab, /etc/krb5kdc and /var/lib/krb5kdc.
>         All certificates are in /etc/krb5kdc.
>         The new machine has the same name as old, only IP is different.
>         kadmin lists all pricinpals, kdc and admin server are working.
>
>         kinit from remote machine fails, on KDC in authlog we have
> message:
>
> PREAUTH_FAILED: Failed to verify CMS message: bad signature
>
> What can be wrong ?
>
> Best regards
> Jarek
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Failed to verify CMS message: bad signature

Jarek 111
W dniu 26.02.2020, śro o godzinie 07∶51 -0700, użytkownik Todd Grayson
napisał:
The discussions I've seen where this is done successfully use tar to
grab all the files (do an ls -la in the kdc path to see what you
missed) along with the krb5.conf.  I believe you are missing important
file(s) based on what you listed.

It looks that the problem is related to the version incompatibility: I
can login from Debian 9 client (1.15) to Debian 9 KDC (1.15)
but can't login from Debian 7 (1.10.1).
What is strange, that I can login from Debian 9 to Debian 7 KDC.
I suspect openssl CMS incompatibility: https://www.mail-archive.com/ope
[hidden email]/msg85910.html

best regards
Jarek


On Wed, Feb 26, 2020, 7:31 AM jarek <[hidden email]> wrote:
Hello!

        I've tried to migrate KDC (Debian 7) to new hardware with
Debian 9.
        We are using KDC with pkinit and smartcards.
        After fresh installation, I have copied /etc/krb5.conf,
/etc/krb5.keytab, /etc/krb5kdc and /var/lib/krb5kdc.
        All certificates are in /etc/krb5kdc.
        The new machine has the same name as old, only IP is different.
        kadmin lists all pricinpals, kdc and admin server are working.

        kinit from remote machine fails, on KDC in authlog we have
message: 

PREAUTH_FAILED: Failed to verify CMS message: bad signature

What can be wrong ?

Best regards
Jarek

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos