On 07/29/2015 07:43 AM, Osipov, Michael wrote: > add_entry -password -p osipo...@comapny.net -k 1 -e aes256-cts-hmac-sha1-96 > add_entry -password -p osipo...@comapny.net -k 1 -e aes128-cts-hmac-sha1-96 > add_entry -password -p osipo...@comapny.net -k 1 -e arcfour-hmac [...] > kinit: Invalid argument while getting initial credentials
Your primary problem here has to do with salts. From the trace logs you provided me, the salt string for this principal was constructed using the principal name michael.osi...@comapny.net (not the actual realm name), not osipo...@comapny.net. ktutil unfortunately has no way to specify the salt string or to retrieve it from the KDC; it can only use the default salt for the principal name when adding a keytab entry using a password. The RC4 enctype does not use the salt, so you don't encounter this problem when using only an RC4 key. I believe that people generally have better luck with msktutil for creating keytabs for use with Active Directory; it may solve this problem. The secondary problem is that you are getting the error message "Invalid argument" instead of something more accurate, like "Password incorrect" or "Preauthentication failed." I don't know the exact cause of this problem yet, though I believe it has to do with our PKINIT code. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos