Kerberos kinit "reply did not match expectations"

kennymadsen · 10-15-2012, 02:03 PM

I came upon this thread after 2 days of frustration. CASE SeNsITive! THank you thank you. I know this is an old thread but it may be just the one to prevent you much headache. This in my opinion is poorly documented in ever Linux Distro I could find. Did I say thank you?

miguelangeljma · 04-11-2013, 12:09 PM

Quote:

Originally Posted by logicalfuzz

I had similar problems. I figured out that krb5.conf requires the realm names to be in upper case. I have converted the domain names (wherever it appears in krb5.conf) to uppercase. Now my krb5.conf looks something like this:

Code:

<..SNIP..>
[libdefaults]
 default_realm = CORP.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
  CORP.EXAMPLE.COM = {
  kdc = MYKDC.CORP.EXAMPLE.COM:88
 }

<../SNIP..>

Additionally, i involke the kinit command as follows:

Code:

[root@LinuxLS logicalfuzz]# kinit myaccount@corp.example.com
Password for myaccount@corp.example.com:
kinit(v5): KDC reply did not match expectations while getting initial credentials
[root@LinuxLS logicalfuzz]# kinit myaccount@CORP.EXAMPLE.COM
Password for myaccount@CORP.EXAMPLE.COM:
[root@LinuxLS logicalfuzz]#

see? the way you invoke kinit also make a diference.

Regards,
LF.

DUDE! thanks a lot. I took the time to recover my password and login just to thank you. Be good and keep the good job! thank you again.

zchege · 12-06-2018, 04:54 AM

Thanks very much for the solution.mine worked

Quote:

Originally Posted by logicalfuzz

I had similar problems. I figured out that krb5.conf requires the realm names to be in upper case. I have converted the domain names (wherever it appears in krb5.conf) to uppercase. Now my krb5.conf looks something like this:

Code:

<..SNIP..>
[libdefaults]
 default_realm = CORP.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
  CORP.EXAMPLE.COM = {
  kdc = MYKDC.CORP.EXAMPLE.COM:88
 }

<../SNIP..>

Additionally, i involke the kinit command as follows:

Code:

[root@LinuxLS logicalfuzz]# kinit myaccount@corp.example.com
Password for myaccount@corp.example.com:
kinit(v5): KDC reply did not match expectations while getting initial credentials
[root@LinuxLS logicalfuzz]# kinit myaccount@CORP.EXAMPLE.COM
Password for myaccount@CORP.EXAMPLE.COM:
[root@LinuxLS logicalfuzz]#

see? the way you invoke kinit also make a diference.

Regards,
LF.

daniziz · 04-15-2019, 09:43 AM

Hi all,

This is my first post, and I don't want to duplicate threads...

I have a problem with my Kerberos configuration. I've googled about 30 pages and all refer to the same problem (UPPERCASE).

This is my .conf file:

Code:

[libdefaults]
        default_realm = IBYSTECH
        dns_lookup_realm = true
        dns_lookup_kdc = true

[realms]
        IBYSTECH = {
                kdc = NAVISION:88
        }

When I try to kinit as administrator, it always gives me this:

Code:

root@DIZQUIERDO-PC:~# kinit administrator@IBYSTECH
Password for administrator@IBYSTECH: 
kinit: KDC reply did not match expectations while getting initial credentials
root@DIZQUIERDO-PC:~# kinit administrator
Password for administrator@IBYSTECH: 
kinit: KDC reply did not match expectations while getting initial credentials

It's not a problem of passwd because it gives me a wrong passwd message if I write a wrong...

Is there anythig more I can check?

If I ping to kdc Server its ok:

Code:

root@DIZQUIERDO-PC:~# ping NAVISION
PING NAVISION (192.168.0.60) 56(84) bytes of data.
64 bytes from NAVISION (192.168.0.60): icmp_seq=1 ttl=128 time=0.310 ms
64 bytes from NAVISION (192.168.0.60): icmp_seq=2 ttl=128 time=0.147 ms

Regards!

gwe'l · 07-24-2019, 08:29 AM

If the "UPPERCASE trick" doesn't work like for me, try to invert realm and domain. That's was my problem and kinit was complaining with the same dumb/nonsense error message : "kinit: KDC reply did not match expectations while getting initial credentials".

Or try to view kerberos messages with wireshark if you can, to see what you send, and what kerberos server respond to you that "doesn't match expectations"