[37755] in Kerberos
Re: .kinit: Preauthentication failed while getting initial credentials
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Oct 27 17:10:22 2016
MIME-Version: 1.0
In-Reply-To: <ldvwpgt20pa.fsf@sarnath.mit.edu>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 27 Oct 2016 15:09:44 -0600
Message-ID: <CALNT6MV-aiFPnq0S=c2j724tCYsh5di2KSFR8SLd_JeOBR14ig@mail.gmail.com>
To: Tom Yu <tlyu@mit.edu>
Cc: Mubashir Kazia <mkazia@cloudera.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Interesting Tom, We'll review that as well, I've added one of our team
members working with this in field to the discussion as well.
Thomas, what version of Active directory directory are you working with in
your attempts to get this functioning with AES?
On Thu, Oct 27, 2016 at 10:53 AM, Tom Yu <tlyu@mit.edu> wrote:
> Thomas Beaudry <thomas.beaudry@concordia.ca> writes:
>
> > So i got it to work by switch the encryption type. In case anyone is
> wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
>
> It's possible that the problem is related to password salting. (The RC4
> enctype has no salt, but the AES ones do.) We've observed that the salt
> for an Active Directory principal is related to the account name rather
> than the principal name, e.g., HOSTNAME$ for a computer account. (An AD
> account can have multiple Kerberos principal names.) Without the
> correct salt, the client can't produce the correct password-derived key.
>
> -Tom
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
