Kerberos kinit "reply did not match expectations"
 

Hi all,

I hope someone here can help me before I go completely mad, abandon computers all together, and go back to slate and chisel!

I have been banging my head against a brick wall trying to get a SUSE 10 OSS installation talking to our live W2K Active Directory.

Purpose: Seemless authentication for Squid Proxy

I have successfully tested this inside VMware with a SUSE OSS install, and a test Domain Controller. However, replicating my steps in the live environment is proving frustrating.

After following countless google search leads, everything I try and do comes down to Kerberos (the bl**dy 3 headed dog! Grrrr).
Upon issuing:
# kinit adminuser@domainname
I get:
kinit(v5): KDC reply did not match expectations while getting initial credentials

I know that the request is hitting the Domain Controller because if I enter a wrong password I get:
kinit(v5): Preauthentication failed while getting initial credentials

I have sync'd the clocks, tried with UPPPERCASE DOMAINS and lowercase domains, included the .LOCAL and .local at the end (our domain is domainname, but domainname.local with full domain suffix).
From what I can gather from the many sites on this subject the overview processes are:
1. Initiate the kerberos ticket with kinit
2. Configure Samba and Winbind
3. Join the domain (net join rpc or ads)
4. Start Samba and Winbind
5. Test connection to AD with wbinfo
6. Install & Configure Squid

Like I said, I have managed this before, but cannot replicate it, and am getting stuck at the first hurdle.

Please someone help, this is doing my nut in :scratch:

Andy

I had similar problems. I figured out that krb5.conf requires the realm names to be in upper case. I have converted the domain names (wherever it appears in krb5.conf) to uppercase. Now my krb5.conf looks something like this:
Additionally, i involke the kinit command as follows:

see? the way you invoke kinit also make a diference.


Regards,
LF.

Thank You logicalfuzz!!! Looked on countless other pages for this simple answer but what you suggested was exactly right.

w00t! Thanks, I was in a similar boat at this step...

-Chad

Kerberos revisited
 

I am new to this forum, but have a question regarding this error:

In the snippet of the error:
Kerberos kinit "reply did not match expectations"

I have the following entries in my krb5.conf file.

What is the difference between

CORP.EXAMPLE.COM and MYKDC.CORP.EXAMPLE.COM:88 ?

I am trying to set kerberos on a small network for internal testing. My domain controller name is DNASilo and my domain name is dna.qa.silo.ad.

What goes in the default_realm and what goes in the kdc ?

Any help would be appreciated

Thanks,
Brad

[libdefaults]
default_realm = CORP.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
CORP.EXAMPLE.COM = {
kdc = MYKDC.CORP.EXAMPLE.COM:88

Kerberos realm
 

Hi bkfullmer. This thread just helped me through the problem, so I think I can clear up a few things for you. Everywhere you see an entry with EXAMPLE.COM in it, substitute your own, real domain.

The kdc entries are for your domain controllers.

default_realm = DNA.QA.SILO.AD

[realms]
DNA.QA.SILO.AD {
kdc = DNASILO.DNA.QA.SILO.AD:88

Exactly what I was looking for. I changed to upper case in my krb.conf file as well as within the kinit command, and I was able to authenticate. Before that, I was able to verify KDC with # host -t srv _kerberos._tcp.mydomain.com.

Thanks for the kick in the butt reminder that case sensitivity is something to always watch out for.

Colonboy

Hi Thanks a lot. You made my day :)

Thanks

Thank You. UPPERCASE fixed me up.

I realize I'm bumping an old thread but wanted to clear up the reason behind this issue :-

- kerberos user principals are username@realm *not* username@domain

Don't get confused just because the realm name is usually an upper-case version of the domain name

hth

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = TABAK-INVEST
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
TABAK-INVEST = {
kdc = SRVPDC
admin_server = SRVPDC
default_domain=TABAK-INVEST
}

[domain_realm]
.TABAK-INVEST = TABAK-INVEST
TABAK-INVEST = TABAK-INVEST

[login]
krb4_convert=false
krb4_get_tickets=false

[root@Pupkur ~]# kinit Pupkur@TABAK-INVEST
Password for Pupkur@TABAK-INVEST:
kinit: KDC reply did not match expectations while getting initial credentials

Please somebody say what wrong?(Sorry my bad english I`m russian:) )

Thanks Plenty
 

Thanks. This was exactly what I needed to fix my issue which was the same. Keep up with the great info. You are one in a million who is not afraid to pass on your knowledge. Others go into long winded explanations and barely give any examples of their work and/or if it even worked for them, they just like to make people think that they are smarter than everybody else.
Once again thanks!

ok, thanks for this...this fixed kinit :)

Getent testing works too :)

What doesn't work is authentication to login to the linux box from Windows server 2008

As stated, kinit works wuth the uppercase, the krb5.conf file is set as shown here. Getent returns the passwd 'line' from the windows server. The windows server does have the lower cryptography group policy.

I've gotten this to work before, but for this domain, it just hangs and says (in putty) "authentication failed"

Is there a log somewhere on the win box to see what is failing? As I said kinit and getent tests work fine now.

Here is the 'tests' working:
[root@xxxdevemp01 etc]# kinit philh@XXX.SAAS
Password for philh@XXX.SAAS:
[root@xxxdevemp01 etc]# getent passwd philh
philh:*:10007:501:Phil H:/home/philh:/bin/bash
[root@xxxdevemp01 etc]#

It returns the group, user id etc just fine. All set on the Windows server.......It must be something very fundamental...Thanks for looking...

Here is my ldap.conf:
base XXX,dc=saas
uri ldap://xxxadc01.xxx.saas/
binddn ldapbind@xxx.saas
bindpw XXXpass
scope sub
ssl no
#tls_checkpeer no
nss_base_passwd dc=xxx,dc=saas?sub
nss_base_shadow dc=xxx,dc=saas?sub
nss_base_group dc=xxx,dc=saas?sub?&(objectCategory=group)(gidnumber=*)
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,orion
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
tls_cacertdir /etc/openldap/cacerts
pam_password md5
#pam_password ad

And my krb5.conf:
[root@xxxdevemp01 etc]# cat krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = XXX.SAAS
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
verify_ap_req_nofail = false

[realms]
XXX.SAAS = {
kdc = XXXDEVADC01.XXX.SAAS:88
admin_server = XXXDEVADC01.XXX.SAAS:749
default_domain = XXX.SAAS
}

[domain_realms]
.xxx.saas = XXX.SAAS
xxx.saas = XXX.SAAS

[login]
krb4_convert=false
krb4_get_tickets=false

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[root@xxxdevemp01 etc]#

thanks guys that was helpfull