[37743] in Kerberos

home help back first fref pref prev next nref lref last post

Re: .kinit: Preauthentication failed while getting initial credentials

daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Oct 26 14:48:58 2016

MIME-Version: 1.0
In-Reply-To: <1477506052111.6629@concordia.ca>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 26 Oct 2016 12:48:16 -0600
Message-ID: <CALNT6MUmYjafHyU8DDidg2O5V_QfXqjoyf56NUD1KJPw1Wc1bw@mail.gmail.com>
To: Thomas Beaudry <thomas.beaudry@concordia.ca>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Is the KDC MIT? AD?  Assuming MIT KDC:

use the kvno command to evaluate what the KDC thinks is current, vs klist
-kte .perform-admin.keytab

Verify the kvno (key version number) matches up from the keytab to what the
kdc states is the current version.  Kinit as a working user first from the
cli, then attempt the kvno against the principal associated with the keytab
that is failing.

what is the command line you are using to export keytabs, the default
behavior is to randomize the key each export unless you specifically tell
it not to with -norandkey

http://krbdev.mit.edu/rt/Ticket/History.html?id=914

use -norandkey when exporting a keytab to prevent the key from being
changed...

On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
thomas.beaudry@concordia.ca> wrote:

> Hi Everyone,
>
>
> I am running into a strange problem.  I can not get a kerberos ticket when
> using a keytab, but for 1 specific user only:
>
>
> This is the command i use:
>
>
> > kinit perform-admin -kt .perform-admin.keytab
>
> kinit: Preauthentication failed while getting initial credentials
>
>
> Now if I do:
>
> ?kinit
>
> then i get prompted for a password, and then a ticket is created.
>
>
> Like i said i can use a keytab for every other user and it does work, it
> is only for this 1 specific user that it fails.  I have also tried creating
> new keytabs for this user but it still fails.  I don't know if I have this
> problem because it's the same user that I used to join the REALM in the
> first place..
>
> Any thoughts?
>
> Thanks!
> Thomas Beaudry
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post