Strange behaviour of kinit [Solved]

Lars Hanke debian at lhanke.de
Sat Sep 13 05:02:43 EDT 2014


 > On Fri, 2014-09-12 at 22:08 +0200, Lars Hanke wrote:
>> Am 12.09.2014 21:14, schrieb steve:
>

Solution summary: NTP was not running properly and the Samba4 KDC seems 
to be more picky about time than the MIT KDC. After resynchronizing I 
get tickets from Samba4.

The rest attached informally to help others:

>>>
>>> DNS? Is the 386 client pointing _only_ at the Samba4 DC?
>>
>> The 386 client points to the AD DNS.
> Does Samba4 DC == AD DNS?

No it's a seperate bind9, which replicates the Samba4 DNS.

> Guessing: You don't want to use any domain services on the 386 client.

Yes, that's the idea. I'm aiming at a setup as described here: 
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

> You simply want to authenticate? Is the Samba4 DC serving MGR?

No, the Samba4 DC serves AD.MICROSULT.DE. The respective DNS has no 
Kerberos entries for MGR. Still the client bound to that DNS can 
authenticate to MGR, but not to AD.MICROSULT.DE.

And it definitely connects. If I chose a non existing user name, I get 
"client not found". Wrong password BTW yields "Password incorrect" on 
MGR at least.

Wireshark shows that a request is sent to the DC to 
krbtgt/AD.MICROSULT.DE and the DC answers KRB5KDC_ERR_PREAUTH_REQUIRED 
(25). This happens twice.

Doing the same from the amd64 client I also see two requests for krbtgt. 
The first is also denied with error 25, the second is granted. Apart 
from the nonce, there's a difference in the padata, i.e. the second 
request adds a PA-ENC-TIMESTAMP. The behaviour is the same on the 386 
client.

... and that brought me to check NTP!
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list