ads_set_machine_password: KDC reply did not match expectations
Jim McDonough
jmcd at us.ibm.com
Wed May 8 08:57:02 GMT 2002
drew.arthur at mail.print.com wrote:
>I am attempting to join Samba3.0-17 to an Win2k AD Domain and get the
>following error:
>#usr/local/samba/bin/net ads join
>#"ads_set_machine_password: KDC reply did not match expectations"
>
>Any Kerberos gurus know of a way around this error?
One more detail here is that the Win2k DC gives different information
depending on what you query as to what the realm is. If you try to get a
ticket using only the first qualifier of the realm, it grants the ticket,
but for the full realm name (which is how this error gets generated). So,
kinit is done using the full realm name (as set in krb5.conf). But the
"net ads info" command shows that the realm name is just the first
qualifier...so the password change uses this short one...
Basically, the Kerberos KDC thinks that the realm is
"TESTREALM.DOMAIN.COM", and the ldap server replies for ldapServiceName
DC.TESTREALM.DOMAIN.COM:dc$@TESTREALM
This is the root of the problem...the KDC says it's the long version, the
ldap entry for the service principal name is the short version....anyone
every seen this...or know how to resolve it?
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd at us.ibm.com
jmcd at samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
More information about the samba-technical
mailing list