Kerberos ticket "Expired"; Finding old, not new ticket

Question

I'm trying to get Kerberos connecting to a MS SQL database on my Mac (Big Sur). I've been following instructions here. My Kerberos authenticated connections used to work. They stopped working when I tried them recently. This might be due to upgrading the OS.

Per the instructions, I have an /etc/krb5.conf file that looks something like this:

[libdefaults]
  default_realm = DOMAIN.COMPANY.COM
 
[realms]
DOMAIN.COMPANY.COM = {
   kdc = dc-33.domain.company.com
}

When I go to my terminal and run kinit [email protected] it prompts me for my password. After successfully entering my password, I immediately run the klist command, as recommended, and I'm getting something like this:

Credentials cache: API:1234A5B6-7C8D-9EF0-B1F9-ED757F2418F4
        Principal: [email protected]

  Issued                Expires        Principal
Apr  5 09:02:23 2022  >>>Expired<<<  krbtgt/[email protected]

This looks like an old ticket/credential (I'm writing this April 8th) somewhere on my machine. The old ticket is "Expired". Why isn't the klist command retrieving the recent kinit credential? What would cause this? How can I fix it?

Things I've tried

Naively, in the beginning of all of my Kerberos connectivity issues and before getting this error, I thought I needed to update/upgrade Kerberos. So I installed Kerberos with brew install krb5. Unfortunately, I think this just confused the OS because Kerberos was then installed in 2 locations.

I saw that the operating system might need to "know" where to find Kerberos files if it gets confused (see above bullet point). So, I added the following lines to my .zshrc file.

export PATH=/usr/local/opt/krb5/bin:$PATH
export PATH=/usr/local/opt/krb5/sbin:$PATH
export LDFLAGS="-L/usr/local/opt/krb5/lib $LDFLAGS"
export CPPFLAGS="-I/usr/local/opt/krb5/include $CPPFLAGS"

These lines helped while I still had the Homebrew version of Kerberos installed, but I have since run brew uninstall krb5 and now they don't help (see next paragraph).

I did a search in my terminal for the krb5 folder using this command sudo find / -name "krb5". When I searched through the long list of results, I found several krb5 folders, but none of them had bin, sbin, lib or include directories in them. So, it seems that during the brew uninstall krb5 command those files were removed from my system as well as the files in /usr/local/Cellar.

I haven't tried installing the "Prerequisites" on the instruction page yet, because my Kerberos used to work already in the past. So, I'm assuming that the prerequisites should already be in place, unless they changed during my OS update. I was hesitant to try that because of the issues the brew install attempt created.

Conclusion

It's obvious the Kerberos is still installed somewhere on my machine because it will prompt me to enter my password after kinit and knows if the password entered is valid or not. The credentials are "Expired" immediately after being created. How can I fix this?

Answer 1

installing and uninstalling kerberos appears to have messed with some of your OS settings. This, combined with a recent OS update probably requires a restart, if you haven't already done so.