I'm trying to connect to a Windows 2000 server from a RedHat Linux 7.3
computer. However, when I do: kinit administrator@domain.com I am
prompted for the password and if I enter the correct password, kinit
gives the error:
KDC reply did not match expectations while getting initial credentials
I read somewhere that it might be a time-synch issue, but I have ntp
synched both servers to time-a.nist.gov. What might be the reason for
the error?

---

Request for Question Clarification by denco-ga on 06 May 2004 21:50 PDT

Howdy tulshi-ga,

What version of Kerberos (the revision number) are you running and would you
be comfortable doing a rebuild of it if necessary?

Thanks!  denco-ga - Google Answers Researcher

---

Clarification of Question by tulshi-ga on 07 May 2004 08:10 PDT

Sorry, I should have thought to answer that. I'm using kerberos v5.
Here's a dump of the packages installed:
$ rpm -q -a | grep krb
krbafs-1.1.1-1
krb5-libs-1.2.4-1
krbafs-devel-1.1.1-1
krb5-workstation-1.2.4-1
pam_krb5-1.55-1
krb5-devel-1.2.4-1

---

Request for Question Clarification by denco-ga on 07 May 2004 14:07 PDT

No problem tulshi-ga,

Greatly appreciate your patience with the diagnostic process.  I hope you
don't mind that I like to take these types of problems methodically.

Please check your /etc/krb5.conf files for the "renew_lifetime" entry and
see if it exists, and it it does (no need to create it if it doesn't exist)
exist, makes sure the value is set to a number larger than 86400, such as
86500.  Test it after changing; otherwise, please update me.

Thanks!  denco-ga - Google Answers Researcher

---

Clarification of Question by tulshi-ga on 07 May 2004 14:43 PDT

I do not have a renew_lifetime in the libdefaults section. If I add a
"renew_lifetime" line in the libdefaults section, kinit gives another
error:
Invalid argument while getting initial credentials
I do have an "appdefaults" section, which has a "pam" subsection which
has renew_lifetime. I'd tried various values there, including 86400, I
tried 86500 and also tried putting the renew_lifetime directly in the
appdefaults section, but the "KDC reply did not match expectations"
does not go away.

---

Request for Question Clarification by denco-ga on 10 May 2004 09:19 PDT

Howdy tulshi-ga,

It is most probably an incompatibility between versions of Kerberos.  As well,
the version of Kerberos you are running has some security issues.

Try going to 1.2.4-3 as a first step.  The RPMs can be found here.
http://129.194.66.80/revaz/scratch/RH73/updates

Looking Forward, denco-ga - Google Answers Researcher

I have Fedore, and am facing the same problem, I have tried every
thing i could read abt. all the above steps have also been done by me,
but still the same error persists, kinit(v5): KDC reply did not match
expectations while getting initial credential
s
Both the win2k3 domain controler and linux client have krb5. I am also
not getting any error Log messages on the domain Controller.

Are any other steps needed if my domain controller is 2003 server?

Regards
Yayati.