Hi Todd,
So i got it to work by switch the encryption type. In case anyone is wondering
i used: addent -password -p ${user} -k 1 -e rc4-hmac
Thank you so much for your help - I really didn't know where to look to start
off with.
Have a great day!
Thomas
________________________________
From: Thomas Beaudry
Sent: Thursday, October 27, 2016 11:37 AM
To: Todd Grayson
Cc: [email protected]
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Hi Todd,
Yes i changed the password. Still the same problem.
thanks!
Thomas
________________________________
From: Todd Grayson <[email protected]>
Sent: Thursday, October 27, 2016 11:25 AM
To: Thomas Beaudry
Cc: [email protected]
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
you have to change the password after setting the checkbox.... was that done?
On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry
<[email protected]<mailto:[email protected]>> wrote:
Hi Todd,
Thanks I tried enabling the AES256 checkbox but that didn't fix the problem.
Also, I checked other users and they don't have that checkbox clicked - so it
isn't the issue.
Any more thoughts as to what could be causing this 1 user to not be able to use
a keytab?
Thanks,
Thomas
________________________________
From: Todd Grayson <[email protected]<mailto:[email protected]>>
Sent: Wednesday, October 26, 2016 4:20 PM
To: Thomas Beaudry
Cc: [email protected]<mailto:[email protected]>
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
No, in that case, forget the kvno, it is not going to come out correctly that
way.
Its for when you export the keytab from the KDC, in AD contexts like you are
describing it becomes a invalid data point.
On AD, verify the entry in the ad users and computers gui, set the user entry
to allow AES-256 and change the password for the user so you have a valid
representation of the password on the AD side for your keytab's AES256. if you
right click on the users and go into properties its a selection list of
checkboxes in one of the tabs in the gui for the user entry edit.
That or dont pick aes256 for what you are setting up on the keytab, depending
on the AD version you might have issues (e.g. if ad 2003 was in use)
On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry
<[email protected]<mailto:[email protected]>> wrote:
Hi Todd,
Thanks for answering. It's a windows AD. I'm using ktutil to create the
keytab:
addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96
I'll look into the kvno.
Thomas
________________________________
From: Todd Grayson <[email protected]<mailto:[email protected]>>
Sent: Wednesday, October 26, 2016 2:48 PM
To: Thomas Beaudry
Cc: [email protected]<mailto:[email protected]>
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist -kte
.perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the kdc
states is the current version. Kinit as a working user first from the cli,
then attempt the kvno against the principal associated with the keytab that is
failing.
what is the command line you are using to export keytabs, the default behavior
is to randomize the key each export unless you specifically tell it not to with
-norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being changed...
On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry
<[email protected]<mailto:[email protected]>> wrote:
Hi Everyone,
I am running into a strange problem. I can not get a kerberos ticket when
using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is
only for this 1 specific user that it fails. I have also tried creating new
keytabs for this user but it still fails. I don't know if I have this problem
because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
________________________________________________
Kerberos mailing list [email protected]<mailto:[email protected]>
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
