Kerberos kinit "reply did not match expectations"
Hi all,
I hope someone here can help me before I go completely mad, abandon computers all together, and go back to slate and chisel! I have been banging my head against a brick wall trying to get a SUSE 10 OSS installation talking to our live W2K Active Directory. Purpose: Seemless authentication for Squid Proxy I have successfully tested this inside VMware with a SUSE OSS install, and a test Domain Controller. However, replicating my steps in the live environment is proving frustrating. After following countless google search leads, everything I try and do comes down to Kerberos (the bl**dy 3 headed dog! Grrrr). Upon issuing: # kinit adminuser@domainname I get: kinit(v5): KDC reply did not match expectations while getting initial credentials I know that the request is hitting the Domain Controller because if I enter a wrong password I get: kinit(v5): Preauthentication failed while getting initial credentials I have sync'd the clocks, tried with UPPPERCASE DOMAINS and lowercase domains, included the .LOCAL and .local at the end (our domain is domainname, but domainname.local with full domain suffix). From what I can gather from the many sites on this subject the overview processes are: 1. Initiate the kerberos ticket with kinit 2. Configure Samba and Winbind 3. Join the domain (net join rpc or ads) 4. Start Samba and Winbind 5. Test connection to AD with wbinfo 6. Install & Configure Squid Like I said, I have managed this before, but cannot replicate it, and am getting stuck at the first hurdle. Please someone help, this is doing my nut in :scratch: Andy |
I had similar problems. I figured out that krb5.conf requires the realm names to be in upper case. I have converted the domain names (wherever it appears in krb5.conf) to uppercase. Now my krb5.conf looks something like this:
Code:
<..SNIP..> Code:
[root@LinuxLS logicalfuzz]# kinit myaccount@corp.example.com Regards, LF. |
Thank You logicalfuzz!!! Looked on countless other pages for this simple answer but what you suggested was exactly right.
Quote:
|
w00t! Thanks, I was in a similar boat at this step...
-Chad Quote:
|
Kerberos revisited
I am new to this forum, but have a question regarding this error:
In the snippet of the error: Kerberos kinit "reply did not match expectations" I have the following entries in my krb5.conf file. What is the difference between CORP.EXAMPLE.COM and MYKDC.CORP.EXAMPLE.COM:88 ? I am trying to set kerberos on a small network for internal testing. My domain controller name is DNASilo and my domain name is dna.qa.silo.ad. What goes in the default_realm and what goes in the kdc ? Any help would be appreciated Thanks, Brad [libdefaults] default_realm = CORP.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true [realms] CORP.EXAMPLE.COM = { kdc = MYKDC.CORP.EXAMPLE.COM:88 |
Kerberos realm
Hi bkfullmer. This thread just helped me through the problem, so I think I can clear up a few things for you. Everywhere you see an entry with EXAMPLE.COM in it, substitute your own, real domain.
The kdc entries are for your domain controllers. default_realm = DNA.QA.SILO.AD [realms] DNA.QA.SILO.AD { kdc = DNASILO.DNA.QA.SILO.AD:88 Quote:
|
Exactly what I was looking for. I changed to upper case in my krb.conf file as well as within the kinit command, and I was able to authenticate. Before that, I was able to verify KDC with # host -t srv _kerberos._tcp.mydomain.com.
Thanks for the kick in the butt reminder that case sensitivity is something to always watch out for. Colonboy |
Quote:
Hi Thanks a lot. You made my day :) |
Thanks
|
Thank You. UPPERCASE fixed me up.
|
I realize I'm bumping an old thread but wanted to clear up the reason behind this issue :-
- kerberos user principals are username@realm *not* username@domain Don't get confused just because the realm name is usually an upper-case version of the domain name hth |
[logging]
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TABAK-INVEST dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] TABAK-INVEST = { kdc = SRVPDC admin_server = SRVPDC default_domain=TABAK-INVEST } [domain_realm] .TABAK-INVEST = TABAK-INVEST TABAK-INVEST = TABAK-INVEST [login] krb4_convert=false krb4_get_tickets=false [root@Pupkur ~]# kinit Pupkur@TABAK-INVEST Password for Pupkur@TABAK-INVEST: kinit: KDC reply did not match expectations while getting initial credentials Please somebody say what wrong?(Sorry my bad english I`m russian:) ) |
Thanks Plenty
Quote:
Once again thanks! |
ok, thanks for this...this fixed kinit :)
Getent testing works too :) What doesn't work is authentication to login to the linux box from Windows server 2008 As stated, kinit works wuth the uppercase, the krb5.conf file is set as shown here. Getent returns the passwd 'line' from the windows server. The windows server does have the lower cryptography group policy. I've gotten this to work before, but for this domain, it just hangs and says (in putty) "authentication failed" Is there a log somewhere on the win box to see what is failing? As I said kinit and getent tests work fine now. Here is the 'tests' working: [root@xxxdevemp01 etc]# kinit philh@XXX.SAAS Password for philh@XXX.SAAS: [root@xxxdevemp01 etc]# getent passwd philh philh:*:10007:501:Phil H:/home/philh:/bin/bash [root@xxxdevemp01 etc]# It returns the group, user id etc just fine. All set on the Windows server.......It must be something very fundamental...Thanks for looking... Here is my ldap.conf: base XXX,dc=saas uri ldap://xxxadc01.xxx.saas/ binddn ldapbind@xxx.saas bindpw XXXpass scope sub ssl no #tls_checkpeer no nss_base_passwd dc=xxx,dc=saas?sub nss_base_shadow dc=xxx,dc=saas?sub nss_base_group dc=xxx,dc=saas?sub?&(objectCategory=group)(gidnumber=*) nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,orion nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_objectclass posixGroup group nss_map_attribute gecos cn nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember member tls_cacertdir /etc/openldap/cacerts pam_password md5 #pam_password ad And my krb5.conf: [root@xxxdevemp01 etc]# cat krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = XXX.SAAS dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes verify_ap_req_nofail = false [realms] XXX.SAAS = { kdc = XXXDEVADC01.XXX.SAAS:88 admin_server = XXXDEVADC01.XXX.SAAS:749 default_domain = XXX.SAAS } [domain_realms] .xxx.saas = XXX.SAAS xxx.saas = XXX.SAAS [login] krb4_convert=false krb4_get_tickets=false [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [root@xxxdevemp01 etc]# |
thanks guys that was helpfull
|
All times are GMT -5. The time now is 04:49 PM. |