KRB5 <-> KRB4 - kinit password incorrect

Frederik Meerwaldt frederik at
Thu Oct 9 05:10:20 EDT 2003

Dear group,

I am currently trying to incorporate Kerberos authentication on our 
Cray-Cyber ( machines, but unfortunately I 
have some problems.

Kerberos server:
	- Debian GNU/Linux 3.0
	- MIT Kerberos 5 1.3.1 (current distribution - compiled from source)
	- The config-files are to be found at the bottom of this mail

Kerberos Client:
	- Cray Y-MP EL running UNICOS
	- Kerberos IV client shipped with Unicos
	- Config-files to be found at the bottom of this mail.

The following processes are running on the server:
	- krb5kdc -4 full
	- kadmind
	- krb524d -m

When I want to obtain a Kerberos-Ticket on the Cray using kinit I
get the following message:

[frederik at yel frederik]$ kinit
Cray Research Kerberos Project (
Kerberos Initialization
Kerberos name: frederik
kinit: Password incorrect

OK - it seems to find me on the Kerberos server, but I'm not even 
prompted for my password.
In /var/log/krb5kdc.log on the server, the relevant lines read:

Oct 09 11:00:51 server krb5kdc[24221](info): PROCESS_V4:Initial ticket 
request Host: User: "frederik" ""

But no problems are reported there.
On the server I have no problems obtaining a ticket:

[frederik at server frederik]$ kinit -4
Password for frederik at CRAY-CYBER.ORG:
[frederik at server frederik]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1001)

Kerberos 4 ticket cache: /tmp/tkt1001
Principal: frederik at CRAY-CYBER.ORG

   Issued              Expires             Principal
10/09/03 11:02:41  10/09/03 21:02:41  krbtgt.CRAY-CYBER.ORG at CRAY-CYBER.ORG

The log file on the server after obtaining a ticket read exactly the 
same line (not more, not less) than when obtaining a ticket from the Cray.

What am I doing wrong here?
I should be able to obtain a ticket on the Cray, shouldn't I??
In which way are the realms case sensitive?
Or may I only obtain a ticket on the kdc?

Thanks a lot for your help,

Here are the configuration files:
/etc/krb5.conf from the server:

         default_realm = CRAY-CYBER.ORG
         krb4_config = /etc/krb.conf
         krb4_realms = /etc/krb.realms

         CRAY-CYBER.ORG = {
                 kdc =
                 admin_server =
                 default_domain =

[domain_realm] = CRAY-CYBER.ORG = CRAY-CYBER.ORG

         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log

/etc/krb.conf on the server:

CRAY-CYBER.ORG admin server

/etc/krb.realms on the server: CRAY-CYBER.ORG  CRAY-CYBER.ORG

/usr/local/var/krb5kdc/kdc.conf on the server:

         kdc_ports = 750,88

         CRAY-CYBER.ORG = {
                 supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
                 database_name = /usr/local/var/krb5kdc/principal
                 admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
                 acl_file = /usr/local/var/krb5kdc/kadm5.acl
                 key_stash_file = /usr/local/var/krb5kdc/.k5.CRAY-CYBER.ORG
                 kdc_ports = 750,88
                 max_life = 10h 0m 0s
                 max_renewable_life = 7d 0h 0m 0s

/etc/krb.conf on the Cray:

CRAY-CYBER.ORG server admin server

/etc/krb.realms on the Cray:


More information about the Kerberos mailing list