Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Kerberos error - KDC reply did not match expectations

503 views

Skip to first unread message

Lamping, Paul A

unread,

Oct 29, 2009, 6:45:52 PM10/29/09

to kerb...@mit.edu

I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to
authenticate against a Windows 2003 Active Directory server via
Kerberos. I followed the instructions from the IBM website on Kerberos
integration
(http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i
bm.aix.security/doc/security/kerberos_auth_only_load_module.htm).

Whatever I do, I can't get my Kerberos user to authenticate when I login
or su to that user. I get an "unable to authenticate" message and the
"KDC reply did not match expectations" in the syslog file.

Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate]
Error in getting TGT ...

Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not
match expectations

Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping
to krbtest at /dev/pts/60

Here's my config.krb5 command, run from our AIX server
olladmin_1.ollusa.edu:

config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s
ollusa4.ollusa.edu

I think that my REALM (the -r parameter) is OLLUSA because when I open
up "Active Directory Users and Computers" tool, the properties of the
main entry, ollusa.edu, says that the Domain name = OLLUSA. I made sure
that it is capitalized in the krb5.conf file.

Our Active Directory admins ran the Ktpass command this way:

Ktpass -princ host/olladmin_1.ollusa.edu@OLLUSA -mapuser olladmin_1
-pass ******** -out olladmin_1.keytab

I transferred the keytab file and imported it using ktutil, creating
krb5.keytab. I made sure that KVNO as listed in ktutil is the same as
the output of the Ktpass command.

I added these lines to my /usr/lib/security/methods.cfg

KRB5A:

program = /usr/lib/security/KRB5A

program_64 = /usr/lib/security/KRB5A_64

options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no

KRB5Afiles:

options = db=BUILTIN,auth=KRB5A

I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and
default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added
line "dns_lookup_kdc = true"

Then I created users in both AD and AIX, making sure that the AIX user
was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles"

I checked the clocks. My AD server and my AIX server are 4 minutes
apart. I think the Kerberos limit is 5 minutes.

So I've exhausted all the hints and advice that I've seen on all the
mailing lists and forums. Does anyone have any more ideas?

Paul

Lamping, Paul A

unread,

Oct 30, 2009, 5:08:02 PM10/30/09

to kerb...@mit.edu

Problem solved!

The trouble was the 'realm' parameter should have been named
"OLLUSA.EDU" and not "OLLUSA." I had seen the OLLUSA name mentioned in
the Active Directory tools area, but I learned that the Kerberos domain
name is always the domain name (ollusa.edu) in upper case. By viewing
the event logs on the AD server, I found a successful login that had
used the OLLUSA.EDU realm, so that provided the necessary clue.

Paul

0 new messages