KRB5_KDCREP_MODIFIED - KDC reply did not match expectations error
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Oct 8 15:56:57 EDT 2008
On Oct 8, 2008, at 8:56 AM, krbdev-request at mit.edu wrote:
> Date: Tue, 7 Oct 2008 21:46:20 -0400
> From: "Stephen Ince" <since at opendemand.com>
> Subject: KRB5_KDCREP_MODIFIED - KDC reply did not match expectations
> To: "krbdev" <krbdev at mit.edu>
> Message-ID: <3c0801c928e7$a9968460$6e00a8c0 at desktop2>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> Hi, I am very new to kerberos. I am trying to connect to ad kdc
> server and I
> am getting the following error.
> KRB5_KDCREP_MODIFIED - KDC reply did not match expectations.
> The call is the following.
> err = krb5_get_in_tkt_with_password(
> kdcFlags, NULL, NULL, NULL, password, krb5->ccache,
> &krb5->credentials, 0);
> I am missing some additional setup. I have this call working when I
> use a
> kfw kerberos server. Basically I am doing the following.
There seem to be two ways this error can happen "in the wild". 1) if
you are using a Microsoft KDC and the case of the requested principal
differs from what's in the server's database. (I've not seen this
myself.) 2) if you have a Heimdal KDC, the request has the
renewable_ok flag set, and the time limits are set to allow extension
of the renewable time limit as that flag suggests.
I've seen the latter with the Sun pam_krb5 module. The MIT code
doesn't generally produce requests matching case 2). IIRC the
relevant code is in src/lib/krb5/krb/get_in_tkt.c, and 1.6.1b1 does
not appear to have been fixed.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev