Discussion:
What does "Client credentials have been revoked" mean?
Richard Sharpe
2013-09-12 21:22:16 UTC
Permalink
Hi folks,

On one system, when joined to AD, after ten minutes or so, we see the following:

libads/kerberos_util.c:101(ads_kinit_password)

kerberos_kinit_password some-machine$@some.domain.some-tld failed:
Clients credentials have been revoked

What might be the cause of this? Has anyone here seen it?

There seems to be lots of questions of this type on the web.
--
Regards,
Richard Sharpe
(??????????--??)
Jeremy Allison
2013-09-12 21:44:01 UTC
Permalink
Post by Richard Sharpe
Hi folks,
libads/kerberos_util.c:101(ads_kinit_password)
Clients credentials have been revoked
What might be the cause of this? Has anyone here seen it?
There seems to be lots of questions of this type on the web.
From this page:

http://technet.microsoft.com/en-us/library/bb463167.aspx

Clients? credentials have been revoked while getting initial credentials

Application/Function: kinit

Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).

Hope this helps,

Jeremy.
Richard Sharpe
2013-09-12 22:40:58 UTC
Permalink
Post by Jeremy Allison
Post by Richard Sharpe
Hi folks,
libads/kerberos_util.c:101(ads_kinit_password)
Clients credentials have been revoked
What might be the cause of this? Has anyone here seen it?
There seems to be lots of questions of this type on the web.
http://technet.microsoft.com/en-us/library/bb463167.aspx
Clients? credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
Hope this helps,
If you disable the computer account you get the same message. I wonder
who disabled the computer account.
--
Regards,
Richard Sharpe
(??????????--??)
Jeremy Allison
2013-09-13 16:40:20 UTC
Permalink
Post by Richard Sharpe
Post by Jeremy Allison
Post by Richard Sharpe
Hi folks,
libads/kerberos_util.c:101(ads_kinit_password)
Clients credentials have been revoked
What might be the cause of this? Has anyone here seen it?
There seems to be lots of questions of this type on the web.
http://technet.microsoft.com/en-us/library/bb463167.aspx
Clients? credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
Hope this helps,
If you disable the computer account you get the same message. I wonder
who disabled the computer account.
I don't think Samba ever does this automatically.
Richard Sharpe
2013-09-13 16:46:37 UTC
Permalink
Post by Jeremy Allison
Post by Richard Sharpe
Post by Jeremy Allison
Post by Richard Sharpe
Hi folks,
libads/kerberos_util.c:101(ads_kinit_password)
Clients credentials have been revoked
What might be the cause of this? Has anyone here seen it?
There seems to be lots of questions of this type on the web.
http://technet.microsoft.com/en-us/library/bb463167.aspx
Clients? credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
Hope this helps,
If you disable the computer account you get the same message. I wonder
who disabled the computer account.
I don't think Samba ever does this automatically.
Yeah, I agree.

Now I have to figure out if they have some sort of policy that is
doing it or they are manually disabling the computer account or what.
--
Regards,
Richard Sharpe
(??????????--??)
Richard Sharpe
2013-09-13 18:59:40 UTC
Permalink
On Fri, Sep 13, 2013 at 9:46 AM, Richard Sharpe
Post by Richard Sharpe
Post by Jeremy Allison
Post by Richard Sharpe
Post by Jeremy Allison
Post by Richard Sharpe
Hi folks,
libads/kerberos_util.c:101(ads_kinit_password)
Clients credentials have been revoked
What might be the cause of this? Has anyone here seen it?
There seems to be lots of questions of this type on the web.
http://technet.microsoft.com/en-us/library/bb463167.aspx
Clients? credentials have been revoked while getting initial credentials
Application/Function: kinit
Potential Causes and Solution: Can indicate that the user's account is locked or expired (account expired, not password expired).
Hope this helps,
If you disable the computer account you get the same message. I wonder
who disabled the computer account.
I don't think Samba ever does this automatically.
Yeah, I agree.
Now I have to figure out if they have some sort of policy that is
doing it or they are manually disabling the computer account or what.
Turns out that this particular organization has some sort of DNS Round
Robin going on between two LDAP servers and maybe the computer account
info has not replicated between them.

I don't yet have the full story.
--
Regards,
Richard Sharpe
(??????????--??)
Loading...