[37754] in Kerberos
Re: .kinit: Preauthentication failed while getting initial credentials
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Oct 27 12:53:24 2016
From: Tom Yu <tlyu@mit.edu>
To: Thomas Beaudry <thomas.beaudry@concordia.ca>
Date: Thu, 27 Oct 2016 12:53:05 -0400
In-Reply-To: <1477583987136.56585@concordia.ca> (Thomas Beaudry's message of
"Thu, 27 Oct 2016 15:59:46 +0000")
Message-ID: <ldvwpgt20pa.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thomas Beaudry <thomas.beaudry@concordia.ca> writes:
> So i got it to work by switch the encryption type. In case anyone is wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
It's possible that the problem is related to password salting. (The RC4
enctype has no salt, but the AES ones do.) We've observed that the salt
for an Active Directory principal is related to the account name rather
than the principal name, e.g., HOSTNAME$ for a computer account. (An AD
account can have multiple Kerberos principal names.) Without the
correct salt, the client can't produce the correct password-derived key.
-Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
