subject:"\[Freeipa\-users\] Not able to get kerberos ticket from keytab"

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread Martin Kosek

On 02/26/2016 10:31 AM, Teik Hooi Beh wrote:
> And yes, i also need to include -s ipaserver in the get-ipakeytab command,
> otherwise it kept giving wrong usage error

Just for the record, this should no longer be needed from FreeIPA 4.3.0:
https://fedorahosted.org/freeipa/ticket/2203

> On Fri, Feb 26, 2016 at 10:29 PM, Teik Hooi Beh  wrote:
> 
>> Thanks. It's working now using ipa-getkeytab.
>>
>> Correct me if I am wrong (as I am new to freeipa), using ktutil I could
>> add multiple user in a keytab file (correct???) but in this case using
>> ipa-getkeytab can I do the same?
>>
>> On Fri, Feb 26, 2016 at 9:15 PM, David Kupka  wrote:
>>
>>> On 26/02/16 08:56, David Kupka wrote:
>>>
 On 26/02/16 02:22, Teik Hooi Beh wrote:

> Hi,
>
> I have manged to deployed 1 ipa master and 1 ipa client with success on
> centos 7.2 with freeipa v4.2. I also managed to create user and set
> sshd-rules to for ttester user and also successfully get krb ticket
> using *kinit
> ttes...@example.my*. I am trying to deploy password-less SSH login with
> kerberos using the following guide  (
>
> https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/
> )
>
> -
>
> snippet -
>
>
>
> *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
> aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*
>
> When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
> Password incorrect while getting initial credentials"*
> Doing a trace using KRB5_TRACE on both calls
>
> *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
> 27242] 1456447025.219676: Getting initial credentials for
> ttes...@example.my
> [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
> [27242] 1456447025.23: Resolving hostname node1.example.my
> [27242] 1456447035.238004: Initiating TCP connection to stream
> 192.168.38.2:88
> [27242] 1456447035.238675: Sending TCP request to stream
> 192.168.38.2:88
> [27242] 1456447035.241248: Received answer (337 bytes) from stream
> 192.168.38.2:88
> [27242] 1456447035.241257: Terminating TCP connection to stream
> 192.168.38.2:88
> [27242] 1456447035.241377: Response was from master KDC
> [27242] 1456447035.241437: Received error from KDC:
> -1765328359/Additional
> pre-authentication required
> [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
> [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
> "s`GD^,#=cA:Vr9hD", params ""
> [27242] 1456447035.241504: Received cookie: MIT
> Password for ttes...@example.my:
> [27242] 1456447062.215750: AS key obtained for encrypted timestamp:
> aes256-cts/73C6
> [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
> plain 301AA011180F32303136303232363030333734325AA1050203034913,
> encrypted
>
> F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B
>
> [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [27242] 1456447062.215948: Produced preauth for next request: 133, 2
> [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
> [27242] 1456447062.216010: Resolving hostname node1.example.my
> [27242] 1456447072.229254: Initiating TCP connection to stream
> 192.168.38.2:88
> [27242] 1456447072.229655: Sending TCP request to stream
> 192.168.38.2:88
> [27242] 1456447072.236955: Received answer (722 bytes) from stream
> 192.168.38.2:88
> [27242] 1456447072.236974: Terminating TCP connection to stream
> 192.168.38.2:88
> [27242] 1456447072.237080: Response was from master KDC
> [27242] 1456447072.237117: Processing preauth types: 19
> [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
> "s`GD^,#=cA:Vr9hD", params ""
> [27242] 1456447072.237131: Produced preauth for next request: (empty)
> [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
> [27242] 1456447072.237199: Decrypted AS reply; session key is:
> aes256-cts/2A71
> [27242] 1456447072.237216: FAST negotiation: available
> [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000
> with
> default princ ttes...@example.my
> [27242] 1456447072.237275: Storing ttes...@example.my ->
> krbtgt/example...@example.my in KEYRING:persistent:1000:1000
> [27242] 1456447072.237330: Storing config in
> KEYRING:persistent:1000:1000
> for krbtgt/example...@example.my: fast_avail: yes
> [27242] 1456447072.237345: Storing ttes...@example.my ->
>
> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF
> :
>
> in KEYRING:persistent:1000:1000
>

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread Teik Hooi Beh

And yes, i also need to include -s ipaserver in the get-ipakeytab command,
otherwise it kept giving wrong usage error

On Fri, Feb 26, 2016 at 10:29 PM, Teik Hooi Beh  wrote:

> Thanks. It's working now using ipa-getkeytab.
>
> Correct me if I am wrong (as I am new to freeipa), using ktutil I could
> add multiple user in a keytab file (correct???) but in this case using
> ipa-getkeytab can I do the same?
>
> On Fri, Feb 26, 2016 at 9:15 PM, David Kupka  wrote:
>
>> On 26/02/16 08:56, David Kupka wrote:
>>
>>> On 26/02/16 02:22, Teik Hooi Beh wrote:
>>>
 Hi,

 I have manged to deployed 1 ipa master and 1 ipa client with success on
 centos 7.2 with freeipa v4.2. I also managed to create user and set
 sshd-rules to for ttester user and also successfully get krb ticket
 using *kinit
 ttes...@example.my*. I am trying to deploy password-less SSH login with
 kerberos using the following guide  (

 https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/
 )

 -

 snippet -



 *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
 aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*

 When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
 Password incorrect while getting initial credentials"*
 Doing a trace using KRB5_TRACE on both calls

 *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
 27242] 1456447025.219676: Getting initial credentials for
 ttes...@example.my
 [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
 [27242] 1456447025.23: Resolving hostname node1.example.my
 [27242] 1456447035.238004: Initiating TCP connection to stream
 192.168.38.2:88
 [27242] 1456447035.238675: Sending TCP request to stream
 192.168.38.2:88
 [27242] 1456447035.241248: Received answer (337 bytes) from stream
 192.168.38.2:88
 [27242] 1456447035.241257: Terminating TCP connection to stream
 192.168.38.2:88
 [27242] 1456447035.241377: Response was from master KDC
 [27242] 1456447035.241437: Received error from KDC:
 -1765328359/Additional
 pre-authentication required
 [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
 [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
 "s`GD^,#=cA:Vr9hD", params ""
 [27242] 1456447035.241504: Received cookie: MIT
 Password for ttes...@example.my:
 [27242] 1456447062.215750: AS key obtained for encrypted timestamp:
 aes256-cts/73C6
 [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
 plain 301AA011180F32303136303232363030333734325AA1050203034913,
 encrypted

 F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B

 [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
 returned: 0/Success
 [27242] 1456447062.215948: Produced preauth for next request: 133, 2
 [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
 [27242] 1456447062.216010: Resolving hostname node1.example.my
 [27242] 1456447072.229254: Initiating TCP connection to stream
 192.168.38.2:88
 [27242] 1456447072.229655: Sending TCP request to stream
 192.168.38.2:88
 [27242] 1456447072.236955: Received answer (722 bytes) from stream
 192.168.38.2:88
 [27242] 1456447072.236974: Terminating TCP connection to stream
 192.168.38.2:88
 [27242] 1456447072.237080: Response was from master KDC
 [27242] 1456447072.237117: Processing preauth types: 19
 [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
 "s`GD^,#=cA:Vr9hD", params ""
 [27242] 1456447072.237131: Produced preauth for next request: (empty)
 [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
 [27242] 1456447072.237199: Decrypted AS reply; session key is:
 aes256-cts/2A71
 [27242] 1456447072.237216: FAST negotiation: available
 [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000
 with
 default princ ttes...@example.my
 [27242] 1456447072.237275: Storing ttes...@example.my ->
 krbtgt/example...@example.my in KEYRING:persistent:1000:1000
 [27242] 1456447072.237330: Storing config in
 KEYRING:persistent:1000:1000
 for krbtgt/example...@example.my: fast_avail: yes
 [27242] 1456447072.237345: Storing ttes...@example.my ->

 krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF
 :

 in KEYRING:persistent:1000:1000
 [27242] 1456447072.237371: Storing config in
 KEYRING:persistent:1000:1000
 for krbtgt/example...@example.my: pa_type: 2
 [27242] 1456447072.237380: Storing ttes...@example.my ->
 krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF
 :

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread Teik Hooi Beh

Thanks. It's working now using ipa-getkeytab.

Correct me if I am wrong (as I am new to freeipa), using ktutil I could add
multiple user in a keytab file (correct???) but in this case using
ipa-getkeytab can I do the same?

On Fri, Feb 26, 2016 at 9:15 PM, David Kupka  wrote:

> On 26/02/16 08:56, David Kupka wrote:
>
>> On 26/02/16 02:22, Teik Hooi Beh wrote:
>>
>>> Hi,
>>>
>>> I have manged to deployed 1 ipa master and 1 ipa client with success on
>>> centos 7.2 with freeipa v4.2. I also managed to create user and set
>>> sshd-rules to for ttester user and also successfully get krb ticket
>>> using *kinit
>>> ttes...@example.my*. I am trying to deploy password-less SSH login with
>>> kerberos using the following guide  (
>>>
>>> https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/
>>> )
>>>
>>> -
>>>
>>> snippet -
>>>
>>>
>>>
>>> *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
>>> aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*
>>>
>>> When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
>>> Password incorrect while getting initial credentials"*
>>> Doing a trace using KRB5_TRACE on both calls
>>>
>>> *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
>>> 27242] 1456447025.219676: Getting initial credentials for
>>> ttes...@example.my
>>> [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
>>> [27242] 1456447025.23: Resolving hostname node1.example.my
>>> [27242] 1456447035.238004: Initiating TCP connection to stream
>>> 192.168.38.2:88
>>> [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88
>>> [27242] 1456447035.241248: Received answer (337 bytes) from stream
>>> 192.168.38.2:88
>>> [27242] 1456447035.241257: Terminating TCP connection to stream
>>> 192.168.38.2:88
>>> [27242] 1456447035.241377: Response was from master KDC
>>> [27242] 1456447035.241437: Received error from KDC:
>>> -1765328359/Additional
>>> pre-authentication required
>>> [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
>>> [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
>>> "s`GD^,#=cA:Vr9hD", params ""
>>> [27242] 1456447035.241504: Received cookie: MIT
>>> Password for ttes...@example.my:
>>> [27242] 1456447062.215750: AS key obtained for encrypted timestamp:
>>> aes256-cts/73C6
>>> [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
>>> plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted
>>>
>>> F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B
>>>
>>> [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
>>> returned: 0/Success
>>> [27242] 1456447062.215948: Produced preauth for next request: 133, 2
>>> [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
>>> [27242] 1456447062.216010: Resolving hostname node1.example.my
>>> [27242] 1456447072.229254: Initiating TCP connection to stream
>>> 192.168.38.2:88
>>> [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88
>>> [27242] 1456447072.236955: Received answer (722 bytes) from stream
>>> 192.168.38.2:88
>>> [27242] 1456447072.236974: Terminating TCP connection to stream
>>> 192.168.38.2:88
>>> [27242] 1456447072.237080: Response was from master KDC
>>> [27242] 1456447072.237117: Processing preauth types: 19
>>> [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
>>> "s`GD^,#=cA:Vr9hD", params ""
>>> [27242] 1456447072.237131: Produced preauth for next request: (empty)
>>> [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
>>> [27242] 1456447072.237199: Decrypted AS reply; session key is:
>>> aes256-cts/2A71
>>> [27242] 1456447072.237216: FAST negotiation: available
>>> [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with
>>> default princ ttes...@example.my
>>> [27242] 1456447072.237275: Storing ttes...@example.my ->
>>> krbtgt/example...@example.my in KEYRING:persistent:1000:1000
>>> [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000
>>> for krbtgt/example...@example.my: fast_avail: yes
>>> [27242] 1456447072.237345: Storing ttes...@example.my ->
>>>
>>> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF
>>> :
>>>
>>> in KEYRING:persistent:1000:1000
>>> [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000
>>> for krbtgt/example...@example.my: pa_type: 2
>>> [27242] 1456447072.237380: Storing ttes...@example.my ->
>>> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF
>>> :
>>> in KEYRING:persistent:1000:1000
>>>
>>> *2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my*
>>> [27248] 1456447236.144685: Getting initial credentials for
>>> ttes...@example.my
>>> [27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts
>>> [27248] 1456447236.147255: Sending request (164 bytes) to

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread David Kupka


On 26/02/16 08:56, David Kupka wrote:

On 26/02/16 02:22, Teik Hooi Beh wrote:

Hi,

I have manged to deployed 1 ipa master and 1 ipa client with success on
centos 7.2 with freeipa v4.2. I also managed to create user and set
sshd-rules to for ttester user and also successfully get krb ticket
using *kinit
ttes...@example.my*. I am trying to deploy password-less SSH login with
kerberos using the following guide  (
https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/)

-

snippet -



*$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*

When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
Password incorrect while getting initial credentials"*
Doing a trace using KRB5_TRACE on both calls

*1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
27242] 1456447025.219676: Getting initial credentials for
ttes...@example.my
[27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
[27242] 1456447025.23: Resolving hostname node1.example.my
[27242] 1456447035.238004: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447035.241248: Received answer (337 bytes) from stream
192.168.38.2:88
[27242] 1456447035.241257: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.241377: Response was from master KDC
[27242] 1456447035.241437: Received error from KDC:
-1765328359/Additional
pre-authentication required
[27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
[27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447035.241504: Received cookie: MIT
Password for ttes...@example.my:
[27242] 1456447062.215750: AS key obtained for encrypted timestamp:
aes256-cts/73C6
[27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted
F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B

[27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[27242] 1456447062.215948: Produced preauth for next request: 133, 2
[27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
[27242] 1456447062.216010: Resolving hostname node1.example.my
[27242] 1456447072.229254: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447072.236955: Received answer (722 bytes) from stream
192.168.38.2:88
[27242] 1456447072.236974: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.237080: Response was from master KDC
[27242] 1456447072.237117: Processing preauth types: 19
[27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447072.237131: Produced preauth for next request: (empty)
[27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
[27242] 1456447072.237199: Decrypted AS reply; session key is:
aes256-cts/2A71
[27242] 1456447072.237216: FAST negotiation: available
[27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with
default princ ttes...@example.my
[27242] 1456447072.237275: Storing ttes...@example.my ->
krbtgt/example...@example.my in KEYRING:persistent:1000:1000
[27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: fast_avail: yes
[27242] 1456447072.237345: Storing ttes...@example.my ->
krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:

in KEYRING:persistent:1000:1000
[27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: pa_type: 2
[27242] 1456447072.237380: Storing ttes...@example.my ->
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:
in KEYRING:persistent:1000:1000

*2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my*
[27248] 1456447236.144685: Getting initial credentials for
ttes...@example.my
[27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts
[27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY
[27248] 1456447236.147381: Resolving hostname node1.example.my
[27248] 1456447246.161528: Initiating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88
[27248] 1456447246.164772: Received answer (337 bytes) from stream
192.168.38.2:88
[27248] 1456447246.164791: Terminating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.164904: Response was from master KDC
[27248] 1456447246.164943: Received error from KDC:
-1765328359/Additional
pre-authentication required
[27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133
[27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-26 Thread David Kupka


On 26/02/16 02:22, Teik Hooi Beh wrote:

Hi,

I have manged to deployed 1 ipa master and 1 ipa client with success on
centos 7.2 with freeipa v4.2. I also managed to create user and set
sshd-rules to for ttester user and also successfully get krb ticket
using *kinit
ttes...@example.my*. I am trying to deploy password-less SSH login with
kerberos using the following guide  (
https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/)
-

snippet -



*$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*

When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
Password incorrect while getting initial credentials"*
Doing a trace using KRB5_TRACE on both calls

*1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
27242] 1456447025.219676: Getting initial credentials for ttes...@example.my
[27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
[27242] 1456447025.23: Resolving hostname node1.example.my
[27242] 1456447035.238004: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447035.241248: Received answer (337 bytes) from stream
192.168.38.2:88
[27242] 1456447035.241257: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.241377: Response was from master KDC
[27242] 1456447035.241437: Received error from KDC: -1765328359/Additional
pre-authentication required
[27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
[27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447035.241504: Received cookie: MIT
Password for ttes...@example.my:
[27242] 1456447062.215750: AS key obtained for encrypted timestamp:
aes256-cts/73C6
[27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted
F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B
[27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[27242] 1456447062.215948: Produced preauth for next request: 133, 2
[27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
[27242] 1456447062.216010: Resolving hostname node1.example.my
[27242] 1456447072.229254: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447072.236955: Received answer (722 bytes) from stream
192.168.38.2:88
[27242] 1456447072.236974: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.237080: Response was from master KDC
[27242] 1456447072.237117: Processing preauth types: 19
[27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447072.237131: Produced preauth for next request: (empty)
[27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
[27242] 1456447072.237199: Decrypted AS reply; session key is:
aes256-cts/2A71
[27242] 1456447072.237216: FAST negotiation: available
[27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with
default princ ttes...@example.my
[27242] 1456447072.237275: Storing ttes...@example.my ->
krbtgt/example...@example.my in KEYRING:persistent:1000:1000
[27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: fast_avail: yes
[27242] 1456447072.237345: Storing ttes...@example.my ->
krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:
in KEYRING:persistent:1000:1000
[27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: pa_type: 2
[27242] 1456447072.237380: Storing ttes...@example.my ->
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:
in KEYRING:persistent:1000:1000

*2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my*
[27248] 1456447236.144685: Getting initial credentials for
ttes...@example.my
[27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts
[27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY
[27248] 1456447236.147381: Resolving hostname node1.example.my
[27248] 1456447246.161528: Initiating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88
[27248] 1456447246.164772: Received answer (337 bytes) from stream
192.168.38.2:88
[27248] 1456447246.164791: Terminating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.164904: Response was from master KDC
[27248] 1456447246.164943: Received error from KDC: -1765328359/Additional
pre-authentication required
[27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133
[27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27248]

[Freeipa-users] Not able to get kerberos ticket from keytab

2016-02-25 Thread Teik Hooi Beh

Hi,

I have manged to deployed 1 ipa master and 1 ipa client with success on
centos 7.2 with freeipa v4.2. I also managed to create user and set
sshd-rules to for ttester user and also successfully get krb ticket
using *kinit
ttes...@example.my*. I am trying to deploy password-less SSH login with
kerberos using the following guide  (
https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/)
-

snippet -



*$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e
aes256-cts-hmac-sha1-96 ktutil: write_kt keytab*

When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit:
Password incorrect while getting initial credentials"*
Doing a trace using KRB5_TRACE on both calls

*1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my*
27242] 1456447025.219676: Getting initial credentials for ttes...@example.my
[27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY
[27242] 1456447025.23: Resolving hostname node1.example.my
[27242] 1456447035.238004: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447035.241248: Received answer (337 bytes) from stream
192.168.38.2:88
[27242] 1456447035.241257: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447035.241377: Response was from master KDC
[27242] 1456447035.241437: Received error from KDC: -1765328359/Additional
pre-authentication required
[27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133
[27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447035.241504: Received cookie: MIT
Password for ttes...@example.my:
[27242] 1456447062.215750: AS key obtained for encrypted timestamp:
aes256-cts/73C6
[27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315):
plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted
F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B
[27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[27242] 1456447062.215948: Produced preauth for next request: 133, 2
[27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY
[27242] 1456447062.216010: Resolving hostname node1.example.my
[27242] 1456447072.229254: Initiating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88
[27242] 1456447072.236955: Received answer (722 bytes) from stream
192.168.38.2:88
[27242] 1456447072.236974: Terminating TCP connection to stream
192.168.38.2:88
[27242] 1456447072.237080: Response was from master KDC
[27242] 1456447072.237117: Processing preauth types: 19
[27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27242] 1456447072.237131: Produced preauth for next request: (empty)
[27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6
[27242] 1456447072.237199: Decrypted AS reply; session key is:
aes256-cts/2A71
[27242] 1456447072.237216: FAST negotiation: available
[27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with
default princ ttes...@example.my
[27242] 1456447072.237275: Storing ttes...@example.my ->
krbtgt/example...@example.my in KEYRING:persistent:1000:1000
[27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: fast_avail: yes
[27242] 1456447072.237345: Storing ttes...@example.my ->
krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:
in KEYRING:persistent:1000:1000
[27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000
for krbtgt/example...@example.my: pa_type: 2
[27242] 1456447072.237380: Storing ttes...@example.my ->
krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF:
in KEYRING:persistent:1000:1000

*2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my*
[27248] 1456447236.144685: Getting initial credentials for
ttes...@example.my
[27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts
[27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY
[27248] 1456447236.147381: Resolving hostname node1.example.my
[27248] 1456447246.161528: Initiating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88
[27248] 1456447246.164772: Received answer (337 bytes) from stream
192.168.38.2:88
[27248] 1456447246.164791: Terminating TCP connection to stream
192.168.38.2:88
[27248] 1456447246.164904: Response was from master KDC
[27248] 1456447246.164943: Received error from KDC: -1765328359/Additional
pre-authentication required
[27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133
[27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt
"s`GD^,#=cA:Vr9hD", params ""
[27248] 1456447246.165001: Received cookie: MIT
[27248]

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

Re: [Freeipa-users] Not able to get kerberos ticket from keytab

[Freeipa-users] Not able to get kerberos ticket from keytab

6 matches

Site Navigation

Mail list logo

Footer information