[38879] in Kerberos

home help back first fref pref prev next nref lref last post

Re: FW: kinit failing when AD user joining using smaercard PIN on

daemon@ATHENA.MIT.EDU (Vikram Yadav)
Thu Mar 4 11:28:39 2021

MIME-Version: 1.0
In-Reply-To: <202103031303.123D3dNJ002595@hedwig.cmf.nrl.navy.mil>
From: Vikram Yadav <vikrampal@gmail.com>
Date: Thu, 4 Mar 2021 15:26:11 +0530
Message-ID: <CALZLQ=bafkH4czWGH-7wbQsCYaWWr64PUaNGFLxqPRxBM1gZLQ@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hello Ken,

kinit is successful now. Thank you so much for your kind help!

Regards,
Vikram

On Wed, 3 Mar 2021 at 18:35, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
> >PFA the latest logs.
> >
> >I'm able to enter the PIN then this log is generated. Please let us
> >know what is the next step?
> >
> >[...]
> >kinit: KDC reply did not match expectations while getting initial credentials
>
> Huh, JUST when you think you've seen every Kerberos error, you get a new
> one.
>
> So, I am kinda surprised your KDC certificate doesn't contain even an
> id-kp-serverAuth EKU.  I wonder who created the server certificate?  Was
> this just a test realm that was deployed internally?
>
> So, I am wondering ... is your realm name blrdhcdev.com or BLRDHCDEV.COM?
> (Case matters).  Because in the kinit command you use the lower-case form
> but some of the log messages that implies that it's the upper-case form.
> I suspect you're getting tripped up by the code in
> get_in_tkt.c:verify_as_reply() that compares various fields in the request
> against the reply, so if your request is using the lower-case realm but
> the reply is with an upper-case realm, that could cause this error.  If
> you put a bunch of config file entries in your krb5.conf based on
> the lower-case realm, those should all be in upper case.
>
> (In general, Kerberos realms are upper-case.  The only person I know who
> deployed a lower-case realm said that if he had to do it all over again,
> he wouldn't because too much code assumes an upper-case realm).
>
> --Ken
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post