[37749] in Kerberos
Re: .kinit: Preauthentication failed while getting initial credentials
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Oct 27 11:26:13 2016
MIME-Version: 1.0
In-Reply-To: <1477581815803.92803@concordia.ca>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 27 Oct 2016 09:25:46 -0600
Message-ID: <CALNT6MVpaRBCMQKDcUR0sX5Ow=UUKmLrbD7eB-Y9_mFtL3yDZg@mail.gmail.com>
To: Thomas Beaudry <thomas.beaudry@concordia.ca>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
you have to change the password after setting the checkbox.... was that
done?
On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry <thomas.beaudry@concordia.ca
> wrote:
> Hi Todd,
>
>
> Thanks I tried enabling the AES256 checkbox but that didn't fix the
> problem. Also, I checked other users and they don't have that checkbox
> clicked - so it isn't the issue.
>
>
> Any more thoughts as to what could be causing this 1 user to not be able
> to use a keytab?
>
>
> Thanks,
>
> Thomas
> ------------------------------
> *From:* Todd Grayson <tgrayson@cloudera.com>
> *Sent:* Wednesday, October 26, 2016 4:20 PM
>
> *To:* Thomas Beaudry
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> No, in that case, forget the kvno, it is not going to come out correctly
> that way.
>
> Its for when you export the keytab from the KDC, in AD contexts like you
> are describing it becomes a invalid data point.
>
> On AD, verify the entry in the ad users and computers gui, set the user
> entry to allow AES-256 and change the password for the user so you have a
> valid representation of the password on the AD side for your keytab's
> AES256. if you right click on the users and go into properties its a
> selection list of checkboxes in one of the tabs in the gui for the user
> entry edit.
>
> That or dont pick aes256 for what you are setting up on the keytab,
> depending on the AD version you might have issues (e.g. if ad 2003 was in
> use)
>
>
>
> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
> thomas.beaudry@concordia.ca> wrote:
>
>> Hi Todd,
>>
>>
>> Thanks for answering. It's a windows AD. I'm using ktutil to create
>> the keytab:
>>
>>
>> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96
>>
>>
>> I'll look into the kvno.
>>
>>
>> Thomas
>>
>>
>> ------------------------------
>> *From:* Todd Grayson <tgrayson@cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>> *To:* Thomas Beaudry
>> *Cc:* kerberos@mit.edu
>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>> credentials
>>
>> Is the KDC MIT? AD? Assuming MIT KDC:
>>
>> use the kvno command to evaluate what the KDC thinks is current, vs klist
>> -kte .perform-admin.keytab
>>
>> Verify the kvno (key version number) matches up from the keytab to what
>> the kdc states is the current version. Kinit as a working user first from
>> the cli, then attempt the kvno against the principal associated with the
>> keytab that is failing.
>>
>> what is the command line you are using to export keytabs, the default
>> behavior is to randomize the key each export unless you specifically tell
>> it not to with -norandkey
>>
>> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>>
>> use -norandkey when exporting a keytab to prevent the key from being
>> changed...
>>
>> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
>> thomas.beaudry@concordia.ca> wrote:
>>
>>> Hi Everyone,
>>>
>>>
>>> I am running into a strange problem. I can not get a kerberos ticket
>>> when using a keytab, but for 1 specific user only:
>>>
>>>
>>> This is the command i use:
>>>
>>>
>>> > kinit perform-admin -kt .perform-admin.keytab
>>>
>>> kinit: Preauthentication failed while getting initial credentials
>>>
>>>
>>> Now if I do:
>>>
>>> ?kinit
>>>
>>> then i get prompted for a password, and then a ticket is created.
>>>
>>>
>>> Like i said i can use a keytab for every other user and it does work, it
>>> is only for this 1 specific user that it fails. I have also tried creating
>>> new keytabs for this user but it still fails. I don't know if I have this
>>> problem because it's the same user that I used to join the REALM in the
>>> first place..
>>>
>>> Any thoughts?
>>>
>>> Thanks!
>>> Thomas Beaudry
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>> --
>> Todd Grayson
>> Business Operations Manager
>> Customer Operations Engineering
>> Security SME
>>
>>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
