[38873] in Kerberos
Re: FW: kinit failing when AD user joining using smaercard PIN on
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed Mar 3 14:58:15 2021
Message-ID: <202103031303.123D3dNJ002595@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Vikram Yadav <vikrampal@gmail.com>
In-Reply-To: <CALZLQ=Y2y6azdRPe_K8Xg03pY2ypcAuAy2pnHhWAjvm-oL3YGA@mail.gmail.com>
MIME-Version: 1.0
Date: Wed, 03 Mar 2021 08:05:02 -0500
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>PFA the latest logs.
>
>I'm able to enter the PIN then this log is generated. Please let us
>know what is the next step?
>
>[...]
>kinit: KDC reply did not match expectations while getting initial credentials
Huh, JUST when you think you've seen every Kerberos error, you get a new
one.
So, I am kinda surprised your KDC certificate doesn't contain even an
id-kp-serverAuth EKU. I wonder who created the server certificate? Was
this just a test realm that was deployed internally?
So, I am wondering ... is your realm name blrdhcdev.com or BLRDHCDEV.COM?
(Case matters). Because in the kinit command you use the lower-case form
but some of the log messages that implies that it's the upper-case form.
I suspect you're getting tripped up by the code in
get_in_tkt.c:verify_as_reply() that compares various fields in the request
against the reply, so if your request is using the lower-case realm but
the reply is with an upper-case realm, that could cause this error. If
you put a bunch of config file entries in your krb5.conf based on
the lower-case realm, those should all be in upper case.
(In general, Kerberos realms are upper-case. The only person I know who
deployed a lower-case realm said that if he had to do it all over again,
he wouldn't because too much code assumes an upper-case realm).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
