Hello Ken, kinit is successful now. Thank you so much for your kind help!
Regards, Vikram On Wed, 3 Mar 2021 at 18:35, Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > > >PFA the latest logs. > > > >I'm able to enter the PIN then this log is generated. Please let us > >know what is the next step? > > > >[...] > >kinit: KDC reply did not match expectations while getting initial credentials > > Huh, JUST when you think you've seen every Kerberos error, you get a new > one. > > So, I am kinda surprised your KDC certificate doesn't contain even an > id-kp-serverAuth EKU. I wonder who created the server certificate? Was > this just a test realm that was deployed internally? > > So, I am wondering ... is your realm name blrdhcdev.com or BLRDHCDEV.COM? > (Case matters). Because in the kinit command you use the lower-case form > but some of the log messages that implies that it's the upper-case form. > I suspect you're getting tripped up by the code in > get_in_tkt.c:verify_as_reply() that compares various fields in the request > against the reply, so if your request is using the lower-case realm but > the reply is with an upper-case realm, that could cause this error. If > you put a bunch of config file entries in your krb5.conf based on > the lower-case realm, those should all be in upper case. > > (In general, Kerberos realms are upper-case. The only person I know who > deployed a lower-case realm said that if he had to do it all over again, > he wouldn't because too much code assumes an upper-case realm). > > --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
