1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • [validate_tgt] (0x0020): [RID#988] TGT failed verification using key fo

    From Marco Moock@21:1/5 to All on Wed Jun 18 09:32:05 2025
    Hello!

    I want to attach a Fedora 42 system to MS AD. sssd seems to work as I
    can retrieve user info from AD. Although, login on my system fails and
    I get the following message in /var/log/sssd/krb5_child.log:

    * (2025-06-18 8:02:33): [krb5_child[137885]] [validate_tgt]
    (0x0020): [RID#988] TGT failed verification using key for
    [redacted HOSTNAME]. ********************** BACKTRACE DUMP ENDS
    HERE *********************************

    (2025-06-18 8:02:33): [krb5_child[137885]] [get_and_save_tgt]
    (0x0020): [RID#988] 2359: [-1765328339][Service key not available]
    (2025-06-18 8:02:33): [krb5_child[137885]] [map_krb5_error] (0x0040): [RID#988] 2443: [-1765328339][Service key not available]
    ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
    * (2025-06-18 8:02:33): [krb5_child[137885]] [get_and_save_tgt]
    (0x0020): [RID#988] 2359: [-1765328339][Service key not available]
    * (2025-06-18 8:02:33): [krb5_child[137885]] [map_krb5_error]
    (0x0040): [RID#988] 2443: [-1765328339][Service key not available] ********************** BACKTRACE DUMP ENDS HERE *********************************

    Can someone give a hint were to look for the problem?

    --
    kind regards
    Marco

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jun 23 08:04:45 2025
    On 18.06.2025 09:32 Marco Moock wrote:

    I want to attach a Fedora 42 system to MS AD. sssd seems to work as I
    can retrieve user info from AD. Although, login on my system fails and
    I get the following message in /var/log/sssd/krb5_child.log:

    * (2025-06-18 8:02:33): [krb5_child[137885]] [validate_tgt]
    (0x0020): [RID#988] TGT failed verification using key for
    [redacted HOSTNAME]. ********************** BACKTRACE DUMP ENDS
    HERE *********************************

    (2025-06-18 8:02:33): [krb5_child[137885]] [get_and_save_tgt]
    (0x0020): [RID#988] 2359: [-1765328339][Service key not available] (2025-06-18 8:02:33): [krb5_child[137885]] [map_krb5_error] (0x0040): [RID#988] 2443: [-1765328339][Service key not available] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
    * (2025-06-18 8:02:33): [krb5_child[137885]] [get_and_save_tgt] (0x0020): [RID#988] 2359: [-1765328339][Service key not available]
    * (2025-06-18 8:02:33): [krb5_child[137885]] [map_krb5_error]
    (0x0040): [RID#988] 2443: [-1765328339][Service key not available] ********************** BACKTRACE DUMP ENDS HERE *********************************

    Can someone give a hint were to look for the problem?

    I found a workaround, although not recommended due to security reasons:

    [domain/example.org]
    krb5_validate = False

    https://access.redhat.com/solutions/7113737

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)