joadoor

[Log in to get rid of this advertisement]

Hi all,

I hope someone here can help me before I go completely mad, abandon computers all together, and go back to slate and chisel!

I have been banging my head against a brick wall trying to get a SUSE 10 OSS installation talking to our live W2K Active Directory.

Purpose: Seemless authentication for Squid Proxy

I have successfully tested this inside VMware with a SUSE OSS install, and a test Domain Controller. However, replicating my steps in the live environment is proving frustrating.

After following countless google search leads, everything I try and do comes down to Kerberos (the bl**dy 3 headed dog! Grrrr).
Upon issuing:
# kinit adminuser@domainname
I get:
kinit(v5): KDC reply did not match expectations while getting initial credentials

I know that the request is hitting the Domain Controller because if I enter a wrong password I get:
kinit(v5): Preauthentication failed while getting initial credentials

I have sync'd the clocks, tried with UPPPERCASE DOMAINS and lowercase domains, included the .LOCAL and .local at the end (our domain is domainname, but domainname.local with full domain suffix).
From what I can gather from the many sites on this subject the overview processes are:
1. Initiate the kerberos ticket with kinit
2. Configure Samba and Winbind
3. Join the domain (net join rpc or ads)
4. Start Samba and Winbind
5. Test connection to AD with wbinfo
6. Install & Configure Squid

Like I said, I have managed this before, but cannot replicate it, and am getting stuck at the first hurdle.

Please someone help, this is doing my nut in

Andy

logicalfuzz

I had similar problems. I figured out that krb5.conf requires the realm names to be in upper case. I have converted the domain names (wherever it appears in krb5.conf) to uppercase. Now my krb5.conf looks something like this:
Additionally, i involke the kinit command as follows:

see? the way you invoke kinit also make a diference.


Regards,
LF.

dragin33

Thank You logicalfuzz!!! Looked on countless other pages for this simple answer but what you suggested was exactly right.

MasterC

w00t! Thanks, I was in a similar boat at this step...

-Chad

bkfullmer

I am new to this forum, but have a question regarding this error:

In the snippet of the error:
Kerberos kinit "reply did not match expectations"

I have the following entries in my krb5.conf file.

What is the difference between

CORP.EXAMPLE.COM and MYKDC.CORP.EXAMPLE.COM:88 ?

I am trying to set kerberos on a small network for internal testing. My domain controller name is DNASilo and my domain name is dna.qa.silo.ad.

What goes in the default_realm and what goes in the kdc ?

Any help would be appreciated

Thanks,
Brad

[libdefaults]
default_realm = CORP.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
CORP.EXAMPLE.COM = {
kdc = MYKDC.CORP.EXAMPLE.COM:88

moravia

Hi bkfullmer. This thread just helped me through the problem, so I think I can clear up a few things for you. Everywhere you see an entry with EXAMPLE.COM in it, substitute your own, real domain.

The kdc entries are for your domain controllers.

default_realm = DNA.QA.SILO.AD

[realms]
DNA.QA.SILO.AD {
kdc = DNASILO.DNA.QA.SILO.AD:88

colonboy

Exactly what I was looking for. I changed to upper case in my krb.conf file as well as within the kinit command, and I was able to authenticate. Before that, I was able to verify KDC with # host -t srv _kerberos._tcp.mydomain.com.

Thanks for the kick in the butt reminder that case sensitivity is something to always watch out for.

Colonboy