[37173] in Kerberos
Re: Cannot authenticate with client keytab and AES128/256 against
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jul 29 13:05:45 2015
Message-ID: <55B907D5.6050807@mit.edu>
Date: Wed, 29 Jul 2015 13:05:25 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: "Osipov, Michael" <michael.osipov@siemens.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <68644224DA0DE64CA5A49838ED219A0425A98A1E@DEFTHW99EJ5MSX.ww902.siemens.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/29/2015 07:43 AM, Osipov, Michael wrote:
> add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e aes256-cts-hmac-sha1-96
> add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e aes128-cts-hmac-sha1-96
> add_entry -password -p osipovmi@COMAPNY.NET -k 1 -e arcfour-hmac
[...]
> kinit: Invalid argument while getting initial credentials
Your primary problem here has to do with salts. From the trace logs you
provided me, the salt string for this principal was constructed using
the principal name michael.osipov@COMAPNY.NET (not the actual realm
name), not osipovmi@COMAPNY.NET. ktutil unfortunately has no way to
specify the salt string or to retrieve it from the KDC; it can only use
the default salt for the principal name when adding a keytab entry using
a password. The RC4 enctype does not use the salt, so you don't
encounter this problem when using only an RC4 key.
I believe that people generally have better luck with msktutil for
creating keytabs for use with Active Directory; it may solve this problem.
The secondary problem is that you are getting the error message "Invalid
argument" instead of something more accurate, like "Password incorrect"
or "Preauthentication failed." I don't know the exact cause of this
problem yet, though I believe it has to do with our PKINIT code.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
