DocumentationRelease Notes
Documentation

Troubleshoot issues with Kerberos

Suggest Edits

ℹ️

Note

The following resources can help you troubleshoot time synchronization and other Kerberos issues:

The following topics can help you address common issues related to Kerberos and AD Bridge.

Fix a key table entry-ticket mismatch

When an AD computer account password changes two or more times during the lifetime of a domain user's credentials, the computer's entry that matches the Kerberos service ticket is dropped from the Kerberos key table. Even though the service ticket has not expired, an action that depends on the entry, such as reading the event log or using single sign-on, will fail.

To avoid issues with Kerberos key tables, keytabs, and single sign-on, the computer password expiration time must be at least twice the maximum lifetime for user tickets, plus a little more time to account for the permitted clock skew.

The expiration time for a user ticket is set by using an Active Directory Group Policy setting called Maximum lifetime for user ticket. The default user ticket lifetime is 10 hours; the default AD Bridge computer password lifetime is 30 days.

Causes

The computer account password can change more frequently than the user's AD credentials under the following conditions:

  • Joining a domain two or more times.
  • Setting the expiration time of the computer account password Group Policy setting to be less than twice the maximum lifetime of user tickets.

ℹ️

Note

For more information, see the AD Bridge group policy settings reference.

  • Setting the local machine-password-lifespan for the lsass service in the AD Bridge registry to be less than twice the maximum lifetime for user tickets.

Solution

If a computer's entry is dropped from the Kerberos key table, you must remove the unexpired service tickets from the user’s credentials cache by reinitializing the cache. Here is how:

On Linux and Unix, reinitialize the credentials cache by executing the following command with the account of the user who is having the problem:

/opt/pbis/bin/kinit

Resolve a KRB error during SSO in a disjoint namespace

When you are working in a network with a disjoint namespace in which the Active Directory domain name is different from the DNS domain suffix for computers, you may need to modify the domain_realm section of /etc/krb5.conf on your target computer even though your DNS A and PTR records are correct for both DNS domains and can be found both ways.

The following error, in particular, indicates that you might have to modify your krb5.conf file before single sign-on (with SSH, for example) will work:

KRB ERROR BAD OPTION

Assume your computer's Active Directory domain is bluesky.example.com and your computer's FQDN is somehostname.green.example.com and you have already created the following entries in DNS:

_kerberos._tcp.green.example.com 0 100 389 ad2.bluesky.example.com
_kerberos._udp.green.example.com 0 100 389 ad2.bluesky.example.com

On the target computer, the [domain_realm] entry of your /etc/krb5.conf file looks like this:

[domain_realm]
.bluesky.example.com = BLUESKY.EXAMPLE.COM
bluesky.example.com = BLUESKY.EXAMPLE.COM

To resolve the error, add the following two lines to the [domain_realm] entry of your /etc/krb5.conf file:

.green.example.com = BLUESKY.EXAMPLE.COM
green.example.com = BLUESKY.EXAMPLE.COM

After adding the two lines above, the complete [domain_realm] entry now looks like this:

[domain_realm]
.bluesky.example.com = BLUESKY.EXAMPLE.COM
bluesky.example.com = BLUESKY.EXAMPLE.COM
.green.example.com = BLUESKY.EXAMPLE.COM
green.example.com = BLUESKY.EXAMPLE.COM

Finally, make sure that you have a correct k5login file and then try to log on again.

ℹ️

Note

For more information, see Disjoint Namespace.

Eliminate logon delays when DNS connectivity is poor

If connectivity to your DNS servers is tenuous or becomes unavailable, name resolution can time out, delaying the logon process. Because Active Directory is heavily dependent on a well-functioning DNS system, you should work to resolve your DNS issues.

If you cannot fix your DNS system, however, you can as a last resort set up a caching-forwarding name server on the AD Bridge client to eliminate the logon delay. For instance, you can set up a BIND server on each Linux or Unix computer on which you are running AD Bridge. Then you can configure BIND as a local caching resolver and add your nameserver addresses to the forwarder list, leaving /etc/resolv.conf with only the local loopback address:

search example.com
nameserver 127.0.0.1

ℹ️

Note

For instructions on how to set up BIND, see the BIND documentation.

Eliminate Kerberos ticket renewal dialog box

There is an applet called krb5-auth-dialog that by default is active on many Linux distributions. It is intended to assist you with renewing your Kerberos tickets before they expire. Because AD Bridge renews your tickets for you, the dialog box is superfluous and can be a nuisance.

To disable the dialog box:

  1. In the menu, click System > Preferences > More Preferences > Session.
  2. Click the Startup Programs tab and disable the krb5-auth-dialog program. This change prevents it from restarting next time you log on.
  3. Close the Sessions window and then run this command from the shell:
pkill krb5-auth-dialog

Updated about 1 month ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.