KRB5_KDCREP_MODIFIED - KDC reply did not match expectations error

[Henry B. Hotz]

On Oct 8, 2008, at 8:56 AM, krbdev-request at mit.edu wrote:

> Date: Tue, 7 Oct 2008 21:46:20 -0400
> From: "Stephen Ince" <since at opendemand.com>
> Subject: KRB5_KDCREP_MODIFIED - KDC reply did not match expectations
>        error
> To: "krbdev" <krbdev at mit.edu>
> Message-ID: <3c0801c928e7$a9968460$6e00a8c0 at desktop2>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>        reply-type=original
>
> Hi, I am very new to kerberos. I am trying to connect to ad kdc  
> server and I
> am getting the following error.
>
> KRB5_KDCREP_MODIFIED - KDC reply did not match expectations.
>
> The call is the following.
>
>    err = krb5_get_in_tkt_with_password(
>        krb5->context,
>        kdcFlags, NULL, NULL, NULL, password, krb5->ccache,
> &krb5->credentials, 0);
>
> I am missing some additional setup. I have this call working when I  
> use a
> kfw kerberos server.  Basically I am doing the following.
>
> krb5_init_context(..
> krb5_parse_name(.
> krb5_build_principal_ext(..
> krb5_cc_resolve(..
> krb5_cc_initialize(..
> krb5_get_in_tkt_with_password(..
>
> Steve


There seem to be two ways this error can happen "in the wild".  1) if  
you are using a Microsoft KDC and the case of the requested principal  
differs from what's in the server's database.  (I've not seen this  
myself.)  2) if you have a Heimdal KDC, the request has the  
renewable_ok flag set, and the time limits are set to allow extension  
of the renewable time limit as that flag suggests.

I've seen the latter with the Sun pam_krb5 module.  The MIT code  
doesn't generally produce requests matching case 2).  IIRC the  
relevant code is in src/lib/krb5/krb/get_in_tkt.c, and 1.6.1b1 does  
not appear to have been fixed.


------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu