KRB5_KDCREP_MODIFIED - KDC reply did not match expectations error

Stephen Ince since at opendemand.com
Wed Oct 8 17:19:45 EDT 2008 

Henry,
    Thx for the tip.

Steve
----- Original Message ----- 
From: "Henry B. Hotz" <hotz at jpl.nasa.gov>
To: <krbdev at mit.edu>
Cc: <since at opendemand.com>
Sent: Wednesday, October 08, 2008 3:56 PM
Subject: Re: KRB5_KDCREP_MODIFIED - KDC reply did not match expectations 
error


>
> On Oct 8, 2008, at 8:56 AM, krbdev-request at mit.edu wrote:
>
>> Date: Tue, 7 Oct 2008 21:46:20 -0400
>> From: "Stephen Ince" <since at opendemand.com>
>> Subject: KRB5_KDCREP_MODIFIED - KDC reply did not match expectations
>>        error
>> To: "krbdev" <krbdev at mit.edu>
>> Message-ID: <3c0801c928e7$a9968460$6e00a8c0 at desktop2>
>> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>>        reply-type=original
>>
>> Hi, I am very new to kerberos. I am trying to connect to ad kdc  server 
>> and I
>> am getting the following error.
>>
>> KRB5_KDCREP_MODIFIED - KDC reply did not match expectations.
>>
>> The call is the following.
>>
>>    err = krb5_get_in_tkt_with_password(
>>        krb5->context,
>>        kdcFlags, NULL, NULL, NULL, password, krb5->ccache,
>> &krb5->credentials, 0);
>>
>> I am missing some additional setup. I have this call working when I  use 
>> a
>> kfw kerberos server.  Basically I am doing the following.
>>
>> krb5_init_context(..
>> krb5_parse_name(.
>> krb5_build_principal_ext(..
>> krb5_cc_resolve(..
>> krb5_cc_initialize(..
>> krb5_get_in_tkt_with_password(..
>>
>> Steve
>
>
> There seem to be two ways this error can happen "in the wild".  1) if  you 
> are using a Microsoft KDC and the case of the requested principal  differs 
> from what's in the server's database.  (I've not seen this  myself.)  2) 
> if you have a Heimdal KDC, the request has the  renewable_ok flag set, and 
> the time limits are set to allow extension  of the renewable time limit as 
> that flag suggests.
>
> I've seen the latter with the Sun pam_krb5 module.  The MIT code  doesn't 
> generally produce requests matching case 2).  IIRC the  relevant code is 
> in src/lib/krb5/krb/get_in_tkt.c, and 1.6.1b1 does  not appear to have 
> been fixed.
>
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
>
>
>
>

More information about the krbdev mailing list