Problem solved!
The trouble was the 'realm' parameter should have been named "OLLUSA.EDU" and not "OLLUSA." I had seen the OLLUSA name mentioned in the Active Directory tools area, but I learned that the Kerberos domain name is always the domain name (ollusa.edu) in upper case. By viewing the event logs on the AD server, I found a successful login that had used the OLLUSA.EDU realm, so that provided the necessary clue. Paul From: Lamping, Paul A Sent: Thursday, October 29, 2009 5:46 PM To: '[email protected]' Subject: Kerberos error - KDC reply did not match expectations I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to authenticate against a Windows 2003 Active Directory server via Kerberos. I followed the instructions from the IBM website on Kerberos integration (http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i bm.aix.security/doc/security/kerberos_auth_only_load_module.htm). Whatever I do, I can't get my Kerberos user to authenticate when I login or su to that user. I get an "unable to authenticate" message and the "KDC reply did not match expectations" in the syslog file. Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate] Error in getting TGT ... Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not match expectations Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping to krbtest at /dev/pts/60 Here's my config.krb5 command, run from our AIX server olladmin_1.ollusa.edu: config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s ollusa4.ollusa.edu I think that my REALM (the -r parameter) is OLLUSA because when I open up "Active Directory Users and Computers" tool, the properties of the main entry, ollusa.edu, says that the Domain name = OLLUSA. I made sure that it is capitalized in the krb5.conf file. Our Active Directory admins ran the Ktpass command this way: Ktpass -princ host/olladmin_1.ollusa....@ollusa -mapuser olladmin_1 -pass ******** -out olladmin_1.keytab I transferred the keytab file and imported it using ktutil, creating krb5.keytab. I made sure that KVNO as listed in ktutil is the same as the output of the Ktpass command. I added these lines to my /usr/lib/security/methods.cfg KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no KRB5Afiles: options = db=BUILTIN,auth=KRB5A I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added line "dns_lookup_kdc = true" Then I created users in both AD and AIX, making sure that the AIX user was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles" I checked the clocks. My AD server and my AIX server are 4 minutes apart. I think the Kerberos limit is 5 minutes. So I've exhausted all the hints and advice that I've seen on all the mailing lists and forums. Does anyone have any more ideas? Paul ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
