General discussion

  • Creator
    Topic
  • #2280295

    Kerberos Errors w/ AD/Linux integration

    Locked

    by laird.beamesderfer ·

    Does anyone else have this working?
    See Article:
    http://techrepublic.com.com/5100-6350-5031974.h tml

    I get the following error messages when I try to log into AD:
    kinit(v5): KDC reply did not match expectations while getting initial credentials

    If I use the wrong password, I get:
    kinit(v5): Password incorrect while getting initial credentials

    Is there some change that must be made on the AD side that is not mentioned in this article?

    I can’t find any logs on this on the linux box, and the only help that I have found online has just given me the full error code:
    KRB5_KDCREP_MODIFIED: KDC reply did not match expectations

    I can’t find any more information on this.

    Any help you could provide would be an amazing bit of assistance.

    Thanks in advance.

All Comments

  • Author
    Replies
    • #2697675

      Reply To: Kerberos Errors w/ AD/Linux integration

      by johnj ·

      In reply to Kerberos Errors w/ AD/Linux integration

      Are you using Samba 3.0? If yes, have you tried typing the AD domain name in all caps?
      Try this in a root console: /usr/kerberos/bin/kinit administrator@YOURDOMAIN.COM
      It should prompt for a password. If not, try the domain in all small letters.
      You should all check your /etc/samba/smb.conf file to make sure it has these lines:

      realm = YOURDOMAIN.COM
      ads server = 10.50.100.36
      security = ADS
      encrypt passwords = yes

      When you’re done with that, join the linux box to the AD.

      net ads join

      You should get a confirmation that the linux box has been added to the AD.

      I have a RedHat 9.0 server with Samba 3.0 on a Win2K AD, and this works for me. I am still having difficulties with the Linux box authenticating AD users, though.

      John Wheaton

    • #3301761

      Reply To: Kerberos Errors w/ AD/Linux integration

      by br ·

      In reply to Kerberos Errors w/ AD/Linux integration

      As a note to johnj?s answer:
      You must give samba/winbind a User which is able to look-up users in AD (not sure which Attributes). If you use the builtin the Administrator for this purpose or try to logon as administrator make sure you changed your password since the “dcpromo”-process. The password will only be saved in an KRB-interoperaitble way if you changed it after AD-domain-promotion!!

      Hope this helps…

Viewing 1 reply thread