[31633] in Kerberos
Kerberos error - KDC reply did not match expectations
daemon@ATHENA.MIT.EDU (Lamping, Paul A)
Thu Oct 29 18:46:32 2009
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 29 Oct 2009 17:45:52 -0500
Message-ID: <CE6B9147618B8C4182DC74ED3BAA0FBA088B7F@stfexchange.ollusa.edu>
From: "Lamping, Paul A" <plamping@lake.ollusa.edu>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to
authenticate against a Windows 2003 Active Directory server via
Kerberos. I followed the instructions from the IBM website on Kerberos
integration
(http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i
bm.aix.security/doc/security/kerberos_auth_only_load_module.htm).
Whatever I do, I can't get my Kerberos user to authenticate when I login
or su to that user. I get an "unable to authenticate" message and the
"KDC reply did not match expectations" in the syslog file.
Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate]
Error in getting TGT ...
Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not
match expectations
Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping
to krbtest at /dev/pts/60
Here's my config.krb5 command, run from our AIX server
olladmin_1.ollusa.edu:
config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s
ollusa4.ollusa.edu
I think that my REALM (the -r parameter) is OLLUSA because when I open
up "Active Directory Users and Computers" tool, the properties of the
main entry, ollusa.edu, says that the Domain name = OLLUSA. I made sure
that it is capitalized in the krb5.conf file.
Our Active Directory admins ran the Ktpass command this way:
Ktpass -princ host/olladmin_1.ollusa.edu@OLLUSA -mapuser olladmin_1
-pass ******** -out olladmin_1.keytab
I transferred the keytab file and imported it using ktutil, creating
krb5.keytab. I made sure that KVNO as listed in ktutil is the same as
the output of the Ktpass command.
I added these lines to my /usr/lib/security/methods.cfg
KRB5A:
program = /usr/lib/security/KRB5A
program_64 = /usr/lib/security/KRB5A_64
options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and
default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added
line "dns_lookup_kdc = true"
Then I created users in both AD and AIX, making sure that the AIX user
was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles"
I checked the clocks. My AD server and my AIX server are 4 minutes
apart. I think the Kerberos limit is 5 minutes.
So I've exhausted all the hints and advice that I've seen on all the
mailing lists and forums. Does anyone have any more ideas?
Paul
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
