What does "Client credentials have been revoked" mean?

Fri Sep 13 20:59:40 CEST 2013

On Fri, Sep 13, 2013 at 9:46 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Fri, Sep 13, 2013 at 9:40 AM, Jeremy Allison <jra at samba.org> wrote:
>> On Thu, Sep 12, 2013 at 03:40:58PM -0700, Richard Sharpe wrote:
>>> On Thu, Sep 12, 2013 at 2:44 PM, Jeremy Allison <jra at samba.org> wrote:
>>> > On Thu, Sep 12, 2013 at 02:22:16PM -0700, Richard Sharpe wrote:
>>> >> Hi folks,
>>> >>
>>> >> On one system, when joined to AD, after ten minutes or so, we see the following:
>>> >>
>>> >> libads/kerberos_util.c:101(ads_kinit_password)
>>> >>
>>> >>   kerberos_kinit_password some-machine$@some.domain.some-tld failed:
>>> >> Clients credentials have been revoked
>>> >>
>>> >> What might be the cause of this? Has anyone here seen it?
>>> >>
>>> >> There seems to be lots of questions of this type on the web.
>>> >
>>> > From this page:
>>> >
>>> > http://technet.microsoft.com/en-us/library/bb463167.aspx
>>> >
>>> >  Clients’ credentials have been revoked while getting initial credentials
>>> >
>>> > Application/Function: kinit
>>> >
>>> > Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
>>> >
>>> > Hope this helps,
>>>
>>> If you disable the computer account you get the same message. I wonder
>>> who disabled the computer account.
>>
>> I don't think Samba ever does this automatically.
>
> Yeah, I agree.
>
> Now I have to figure out if they have some sort of policy that is
> doing it or they are manually disabling the computer account or what.

Turns out that this particular organization has some sort of DNS Round
Robin going on between two LDAP servers and maybe the computer account
info has not replicated between them.

I don't yet have the full story.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)