Troubleshooting Kerberos and SSH problems
Error message: kinit(v5): Cannot find KDC for requested realm while getting initial credentials
On Macintosh computers (OS-X operating system), Kerberos is installed
on all recent versions. However, there are two locations and names for
(Note: the file in
Error message: kinit: Preauthentication failed while getting initial credentials
kinit fails with preauthentication error
Error message: kinit: krb5_get_init_creds: Too large time skew
kinit fails with time skew message
Error message: kinit: KDC has no support for encryption type while getting initial credentials
kinit fails with complaint about encryption type
Error message: kinit: Client not found in Kerberos database while getting initial credentials
Error message: kinit: Client's entry in database has expired
kinit fails because of an expired password
In general, ssh login failures will be indicated by either "permission
denied" messages, or by a cryptocard prompt.
If none of the solutions below fixes your problem please email the
output of the command "
Not having a kerberos ticket granting ticket (TGT), or having an expired TGT
Verify with the "
hostname:~$ kinit -rf 7d johndoe@FNAL.GOV hostname:~$ klist -f Ticket cache: /tmp/krb5cc_1234 Default principal: johndoe@FNAL.GOV Valid starting Expires Service principal 08/17/12 09:31:16 08/18/12 11:31:16 krbtgt/FNAL.GOV@FNAL.GOV renew until 08/24/12 09:31:09, Flags: FRIA
This is the normal output, indicating that a forwardable, renewable, ticket exists. Check the expiration time - if the current time is past the expiration, login attempts will fail.
hostname:~$ klist klist: No credentials cache file found (ticket cache /tmp/krb5cc_6789)
Kerberos tickets expire after 24 hours.
If you include the "
Another useful switch to kinit is "
Not having an account on the target machine, or having an account on the target machine under a different username
A "permission denied" error will occur if you do not have an account on the target machine, or if your username on the target machine differs from your username on your local machine. Try
ssh firstname.lastname@example.org or ssh -l username tev.fnal.gov
where username is your Fermilab username (the same name that you used in your kinit command). If this fails, send e-mail to email@example.com and ask that the administrators verify that you have a valid account on the Wilson Cluster systems.
Using an internet connection which has a "NAT" (network address translation), such as on a home wireless router.
Nearly all home routers, wired or wireless, have a
"NAT" function, which results in your local system having a different
local network address than what is presented to remote machines.
This allows you to have multiple local machines and only one external
Your local addresses will generally be something like
With a NAT, your ssh logins will fail with "Incorrect net address".
To fix this, use "addressless" tickets.
First, use "
For Mac OS users, please be aware that between versions 10.5 and 10.6 Apple changed the switch for addressless tickets from -A to -a. So if you have recently upgraded from Leopard (10.5) to Snow Leopard (10.6) and are still using -A you will need to change to -a. Also, the default behaviour on Mac OS is to supply addressless tickets, so you should also be able to simply drop the -A or -a switch entirely.
Using an ssh client which does not have Kerberos authentication enabled.
Some versions of ssh will not attempt to perform
In this case, you will either receive a "permission denied" error, or
a cryptocard prompt.
To enable kerberos authentication, try the following
ssh -o "GSSAPIAuthentication yes" firstname.lastname@example.org
The quotation marks are required.
If this form of ssh succeeds, you can configure your local system to
always attempt to use kerberos authentication by editing either
Host *.fnal.gov GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
The "GSSAPIDelegateCredentials" line is necessary if you want to want
to use X-windows clients on the remote (Fermilab) system.
Note that you may need a "
Contact: Amitoj Singh
Last modified: Nov 6, 2017