Well, we can try to guess a little. From what Matt Holdrege and others have said, Access Control is based on a new version of Merit RADIUS. If you check the last public version of Merit RADIUS (2.23c), you can see the Kerberos support in rad.kerberos.c and krb_get_in_tkt.c. You have to get the afs_stringtokey.c source from somewhere else. The radius.debug line that seems to be reporting the problem is: > krb_pass: principle (crawdad) in realm (FNAL.GOV) has bad pw This is probably a new, more detailed error message from the rad.kerberos.c: if (strcmp (authreq->direct_aatv->id, "AKERB") == 0) { krbval = krb_get_in_tkt (userid, "", realm, "krbtgt", realm, DEFAULT_TKT_LIFE, afs_passwd_to_key, NULL, passwd); } ... switch (krbval) { ... case INTK_BADPW: /* Tell client to give up on bad pw */ krbreturn = EV_NAK; break; } ... krb_get_in_tkt returns INTK_BADPW "to indicate bad password (if decrypted ticket didn't make sense" (see krb_get_in_tkt.c). In your last message, you said "a non-error KDC reply come back", this means that for some reason after using decrypt_tkt, the attempt to extract information from the ticket failed. It is going to be mighty tough to figure out the problem since the data is encrypted and Merit RADIUS is pretty careful to destroy the secret information as soon as possible to help reduce the risks of someone stealing it from a core file or running image. ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <HR> <STRONG>Follow-Ups</STRONG>: <UL> <LI><STRONG><A HREF="msg09920.html">Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos</A></STRONG></LI> <UL> <LI><EM>From</EM>: "Matt Crawford" <crawdad@fnal.gov></LI> </UL> </UL> <!--X-Follow-Ups-End--> <!--X-References--> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg09914.html">(ASCEND) Advantage Services Contract?</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg09911.html">Re: (ASCEND) Re: sigh (bitching)</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg09861.html">Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg09920.html">Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="mail5.html#09912"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd206.html#09912"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>