[37743] in Kerberos
Re: .kinit: Preauthentication failed while getting initial credentials
daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Oct 26 14:48:58 2016
MIME-Version: 1.0
In-Reply-To: <1477506052111.6629@concordia.ca>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 26 Oct 2016 12:48:16 -0600
Message-ID: <CALNT6MUmYjafHyU8DDidg2O5V_QfXqjoyf56NUD1KJPw1Wc1bw@mail.gmail.com>
To: Thomas Beaudry <thomas.beaudry@concordia.ca>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist
-kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the
kdc states is the current version. Kinit as a working user first from the
cli, then attempt the kvno against the principal associated with the keytab
that is failing.
what is the command line you are using to export keytabs, the default
behavior is to randomize the key each export unless you specifically tell
it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being
changed...
On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
thomas.beaudry@concordia.ca> wrote:
> Hi Everyone,
>
>
> I am running into a strange problem. I can not get a kerberos ticket when
> using a keytab, but for 1 specific user only:
>
>
> This is the command i use:
>
>
> > kinit perform-admin -kt .perform-admin.keytab
>
> kinit: Preauthentication failed while getting initial credentials
>
>
> Now if I do:
>
> ?kinit
>
> then i get prompted for a password, and then a ticket is created.
>
>
> Like i said i can use a keytab for every other user and it does work, it
> is only for this 1 specific user that it fails. I have also tried creating
> new keytabs for this user but it still fails. I don't know if I have this
> problem because it's the same user that I used to join the REALM in the
> first place..
>
> Any thoughts?
>
> Thanks!
> Thomas Beaudry
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
