Re: [Freeipa-users] Not able to get kerberos ticket from keytab
On 02/26/2016 10:31 AM, Teik Hooi Beh wrote: > And yes, i also need to include -s ipaserver in the get-ipakeytab command, > otherwise it kept giving wrong usage error Just for the record, this should no longer be needed from FreeIPA 4.3.0: https://fedorahosted.org/freeipa/ticket/2203 > On Fri, Feb 26, 2016 at 10:29 PM, Teik Hooi Behwrote: > >> Thanks. It's working now using ipa-getkeytab. >> >> Correct me if I am wrong (as I am new to freeipa), using ktutil I could >> add multiple user in a keytab file (correct???) but in this case using >> ipa-getkeytab can I do the same? >> >> On Fri, Feb 26, 2016 at 9:15 PM, David Kupka wrote: >> >>> On 26/02/16 08:56, David Kupka wrote: >>> On 26/02/16 02:22, Teik Hooi Beh wrote: > Hi, > > I have manged to deployed 1 ipa master and 1 ipa client with success on > centos 7.2 with freeipa v4.2. I also managed to create user and set > sshd-rules to for ttester user and also successfully get krb ticket > using *kinit > ttes...@example.my*. I am trying to deploy password-less SSH login with > kerberos using the following guide ( > > https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/ > ) > > - > > snippet - > > > > *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e > aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* > > When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: > Password incorrect while getting initial credentials"* > Doing a trace using KRB5_TRACE on both calls > > *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* > 27242] 1456447025.219676: Getting initial credentials for > ttes...@example.my > [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY > [27242] 1456447025.23: Resolving hostname node1.example.my > [27242] 1456447035.238004: Initiating TCP connection to stream > 192.168.38.2:88 > [27242] 1456447035.238675: Sending TCP request to stream > 192.168.38.2:88 > [27242] 1456447035.241248: Received answer (337 bytes) from stream > 192.168.38.2:88 > [27242] 1456447035.241257: Terminating TCP connection to stream > 192.168.38.2:88 > [27242] 1456447035.241377: Response was from master KDC > [27242] 1456447035.241437: Received error from KDC: > -1765328359/Additional > pre-authentication required > [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 > [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt > "s`GD^,#=cA:Vr9hD", params "" > [27242] 1456447035.241504: Received cookie: MIT > Password for ttes...@example.my: > [27242] 1456447062.215750: AS key obtained for encrypted timestamp: > aes256-cts/73C6 > [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): > plain 301AA011180F32303136303232363030333734325AA1050203034913, > encrypted > > F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B > > [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [27242] 1456447062.215948: Produced preauth for next request: 133, 2 > [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY > [27242] 1456447062.216010: Resolving hostname node1.example.my > [27242] 1456447072.229254: Initiating TCP connection to stream > 192.168.38.2:88 > [27242] 1456447072.229655: Sending TCP request to stream > 192.168.38.2:88 > [27242] 1456447072.236955: Received answer (722 bytes) from stream > 192.168.38.2:88 > [27242] 1456447072.236974: Terminating TCP connection to stream > 192.168.38.2:88 > [27242] 1456447072.237080: Response was from master KDC > [27242] 1456447072.237117: Processing preauth types: 19 > [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt > "s`GD^,#=cA:Vr9hD", params "" > [27242] 1456447072.237131: Produced preauth for next request: (empty) > [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 > [27242] 1456447072.237199: Decrypted AS reply; session key is: > aes256-cts/2A71 > [27242] 1456447072.237216: FAST negotiation: available > [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 > with > default princ ttes...@example.my > [27242] 1456447072.237275: Storing ttes...@example.my -> > krbtgt/example...@example.my in KEYRING:persistent:1000:1000 > [27242] 1456447072.237330: Storing config in > KEYRING:persistent:1000:1000 > for krbtgt/example...@example.my: fast_avail: yes > [27242] 1456447072.237345: Storing ttes...@example.my -> > > krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF > : > > in KEYRING:persistent:1000:1000 >
Re: [Freeipa-users] Not able to get kerberos ticket from keytab
And yes, i also need to include -s ipaserver in the get-ipakeytab command, otherwise it kept giving wrong usage error On Fri, Feb 26, 2016 at 10:29 PM, Teik Hooi Behwrote: > Thanks. It's working now using ipa-getkeytab. > > Correct me if I am wrong (as I am new to freeipa), using ktutil I could > add multiple user in a keytab file (correct???) but in this case using > ipa-getkeytab can I do the same? > > On Fri, Feb 26, 2016 at 9:15 PM, David Kupka wrote: > >> On 26/02/16 08:56, David Kupka wrote: >> >>> On 26/02/16 02:22, Teik Hooi Beh wrote: >>> Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket using *kinit ttes...@example.my*. I am trying to deploy password-less SSH login with kerberos using the following guide ( https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/ ) - snippet - *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: Password incorrect while getting initial credentials"* Doing a trace using KRB5_TRACE on both calls *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* 27242] 1456447025.219676: Getting initial credentials for ttes...@example.my [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY [27242] 1456447025.23: Resolving hostname node1.example.my [27242] 1456447035.238004: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447035.241248: Received answer (337 bytes) from stream 192.168.38.2:88 [27242] 1456447035.241257: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.241377: Response was from master KDC [27242] 1456447035.241437: Received error from KDC: -1765328359/Additional pre-authentication required [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447035.241504: Received cookie: MIT Password for ttes...@example.my: [27242] 1456447062.215750: AS key obtained for encrypted timestamp: aes256-cts/73C6 [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27242] 1456447062.215948: Produced preauth for next request: 133, 2 [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY [27242] 1456447062.216010: Resolving hostname node1.example.my [27242] 1456447072.229254: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447072.236955: Received answer (722 bytes) from stream 192.168.38.2:88 [27242] 1456447072.236974: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.237080: Response was from master KDC [27242] 1456447072.237117: Processing preauth types: 19 [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447072.237131: Produced preauth for next request: (empty) [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 [27242] 1456447072.237199: Decrypted AS reply; session key is: aes256-cts/2A71 [27242] 1456447072.237216: FAST negotiation: available [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with default princ ttes...@example.my [27242] 1456447072.237275: Storing ttes...@example.my -> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: fast_avail: yes [27242] 1456447072.237345: Storing ttes...@example.my -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF : in KEYRING:persistent:1000:1000 [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: pa_type: 2 [27242] 1456447072.237380: Storing ttes...@example.my -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF :
Re: [Freeipa-users] Not able to get kerberos ticket from keytab
Thanks. It's working now using ipa-getkeytab. Correct me if I am wrong (as I am new to freeipa), using ktutil I could add multiple user in a keytab file (correct???) but in this case using ipa-getkeytab can I do the same? On Fri, Feb 26, 2016 at 9:15 PM, David Kupkawrote: > On 26/02/16 08:56, David Kupka wrote: > >> On 26/02/16 02:22, Teik Hooi Beh wrote: >> >>> Hi, >>> >>> I have manged to deployed 1 ipa master and 1 ipa client with success on >>> centos 7.2 with freeipa v4.2. I also managed to create user and set >>> sshd-rules to for ttester user and also successfully get krb ticket >>> using *kinit >>> ttes...@example.my*. I am trying to deploy password-less SSH login with >>> kerberos using the following guide ( >>> >>> https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/ >>> ) >>> >>> - >>> >>> snippet - >>> >>> >>> >>> *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e >>> aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* >>> >>> When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: >>> Password incorrect while getting initial credentials"* >>> Doing a trace using KRB5_TRACE on both calls >>> >>> *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* >>> 27242] 1456447025.219676: Getting initial credentials for >>> ttes...@example.my >>> [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY >>> [27242] 1456447025.23: Resolving hostname node1.example.my >>> [27242] 1456447035.238004: Initiating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 >>> [27242] 1456447035.241248: Received answer (337 bytes) from stream >>> 192.168.38.2:88 >>> [27242] 1456447035.241257: Terminating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447035.241377: Response was from master KDC >>> [27242] 1456447035.241437: Received error from KDC: >>> -1765328359/Additional >>> pre-authentication required >>> [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 >>> [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt >>> "s`GD^,#=cA:Vr9hD", params "" >>> [27242] 1456447035.241504: Received cookie: MIT >>> Password for ttes...@example.my: >>> [27242] 1456447062.215750: AS key obtained for encrypted timestamp: >>> aes256-cts/73C6 >>> [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): >>> plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted >>> >>> F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B >>> >>> [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) >>> returned: 0/Success >>> [27242] 1456447062.215948: Produced preauth for next request: 133, 2 >>> [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY >>> [27242] 1456447062.216010: Resolving hostname node1.example.my >>> [27242] 1456447072.229254: Initiating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 >>> [27242] 1456447072.236955: Received answer (722 bytes) from stream >>> 192.168.38.2:88 >>> [27242] 1456447072.236974: Terminating TCP connection to stream >>> 192.168.38.2:88 >>> [27242] 1456447072.237080: Response was from master KDC >>> [27242] 1456447072.237117: Processing preauth types: 19 >>> [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt >>> "s`GD^,#=cA:Vr9hD", params "" >>> [27242] 1456447072.237131: Produced preauth for next request: (empty) >>> [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 >>> [27242] 1456447072.237199: Decrypted AS reply; session key is: >>> aes256-cts/2A71 >>> [27242] 1456447072.237216: FAST negotiation: available >>> [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with >>> default princ ttes...@example.my >>> [27242] 1456447072.237275: Storing ttes...@example.my -> >>> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 >>> [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 >>> for krbtgt/example...@example.my: fast_avail: yes >>> [27242] 1456447072.237345: Storing ttes...@example.my -> >>> >>> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF >>> : >>> >>> in KEYRING:persistent:1000:1000 >>> [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000 >>> for krbtgt/example...@example.my: pa_type: 2 >>> [27242] 1456447072.237380: Storing ttes...@example.my -> >>> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF >>> : >>> in KEYRING:persistent:1000:1000 >>> >>> *2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my* >>> [27248] 1456447236.144685: Getting initial credentials for >>> ttes...@example.my >>> [27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts >>> [27248] 1456447236.147255: Sending request (164 bytes) to
Re: [Freeipa-users] Not able to get kerberos ticket from keytab
On 26/02/16 08:56, David Kupka wrote: On 26/02/16 02:22, Teik Hooi Beh wrote: Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket using *kinit ttes...@example.my*. I am trying to deploy password-less SSH login with kerberos using the following guide ( https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/) - snippet - *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: Password incorrect while getting initial credentials"* Doing a trace using KRB5_TRACE on both calls *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* 27242] 1456447025.219676: Getting initial credentials for ttes...@example.my [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY [27242] 1456447025.23: Resolving hostname node1.example.my [27242] 1456447035.238004: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447035.241248: Received answer (337 bytes) from stream 192.168.38.2:88 [27242] 1456447035.241257: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.241377: Response was from master KDC [27242] 1456447035.241437: Received error from KDC: -1765328359/Additional pre-authentication required [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447035.241504: Received cookie: MIT Password for ttes...@example.my: [27242] 1456447062.215750: AS key obtained for encrypted timestamp: aes256-cts/73C6 [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27242] 1456447062.215948: Produced preauth for next request: 133, 2 [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY [27242] 1456447062.216010: Resolving hostname node1.example.my [27242] 1456447072.229254: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447072.236955: Received answer (722 bytes) from stream 192.168.38.2:88 [27242] 1456447072.236974: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.237080: Response was from master KDC [27242] 1456447072.237117: Processing preauth types: 19 [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447072.237131: Produced preauth for next request: (empty) [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 [27242] 1456447072.237199: Decrypted AS reply; session key is: aes256-cts/2A71 [27242] 1456447072.237216: FAST negotiation: available [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with default princ ttes...@example.my [27242] 1456447072.237275: Storing ttes...@example.my -> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: fast_avail: yes [27242] 1456447072.237345: Storing ttes...@example.my -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: pa_type: 2 [27242] 1456447072.237380: Storing ttes...@example.my -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 *2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my* [27248] 1456447236.144685: Getting initial credentials for ttes...@example.my [27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts [27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY [27248] 1456447236.147381: Resolving hostname node1.example.my [27248] 1456447246.161528: Initiating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88 [27248] 1456447246.164772: Received answer (337 bytes) from stream 192.168.38.2:88 [27248] 1456447246.164791: Terminating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.164904: Response was from master KDC [27248] 1456447246.164943: Received error from KDC: -1765328359/Additional pre-authentication required [27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133 [27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt
Re: [Freeipa-users] Not able to get kerberos ticket from keytab
On 26/02/16 02:22, Teik Hooi Beh wrote: Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket using *kinit ttes...@example.my*. I am trying to deploy password-less SSH login with kerberos using the following guide ( https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/) - snippet - *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: Password incorrect while getting initial credentials"* Doing a trace using KRB5_TRACE on both calls *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* 27242] 1456447025.219676: Getting initial credentials for ttes...@example.my [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY [27242] 1456447025.23: Resolving hostname node1.example.my [27242] 1456447035.238004: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447035.241248: Received answer (337 bytes) from stream 192.168.38.2:88 [27242] 1456447035.241257: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.241377: Response was from master KDC [27242] 1456447035.241437: Received error from KDC: -1765328359/Additional pre-authentication required [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447035.241504: Received cookie: MIT Password for ttes...@example.my: [27242] 1456447062.215750: AS key obtained for encrypted timestamp: aes256-cts/73C6 [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27242] 1456447062.215948: Produced preauth for next request: 133, 2 [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY [27242] 1456447062.216010: Resolving hostname node1.example.my [27242] 1456447072.229254: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447072.236955: Received answer (722 bytes) from stream 192.168.38.2:88 [27242] 1456447072.236974: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.237080: Response was from master KDC [27242] 1456447072.237117: Processing preauth types: 19 [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447072.237131: Produced preauth for next request: (empty) [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 [27242] 1456447072.237199: Decrypted AS reply; session key is: aes256-cts/2A71 [27242] 1456447072.237216: FAST negotiation: available [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with default princ ttes...@example.my [27242] 1456447072.237275: Storing ttes...@example.my -> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: fast_avail: yes [27242] 1456447072.237345: Storing ttes...@example.my -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: pa_type: 2 [27242] 1456447072.237380: Storing ttes...@example.my -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 *2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my* [27248] 1456447236.144685: Getting initial credentials for ttes...@example.my [27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts [27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY [27248] 1456447236.147381: Resolving hostname node1.example.my [27248] 1456447246.161528: Initiating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88 [27248] 1456447246.164772: Received answer (337 bytes) from stream 192.168.38.2:88 [27248] 1456447246.164791: Terminating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.164904: Response was from master KDC [27248] 1456447246.164943: Received error from KDC: -1765328359/Additional pre-authentication required [27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133 [27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27248]
[Freeipa-users] Not able to get kerberos ticket from keytab
Hi, I have manged to deployed 1 ipa master and 1 ipa client with success on centos 7.2 with freeipa v4.2. I also managed to create user and set sshd-rules to for ttester user and also successfully get krb ticket using *kinit ttes...@example.my*. I am trying to deploy password-less SSH login with kerberos using the following guide ( https://uz.sns.it/~enrico/wordpress/2014/03/password-less-ssh-login-with-kerberos/) - snippet - *$ ktutil ktutil: add_entry -password -p ttes...@example.my -k 1 -e aes256-cts-hmac-sha1-96 ktutil: write_kt keytab* When I tried *kinit -kt keytab ttes...@example.my*, I get *"**kinit: Password incorrect while getting initial credentials"* Doing a trace using KRB5_TRACE on both calls *1. KRB5_TRACE=/dev/stderr kinit ttes...@example.my* 27242] 1456447025.219676: Getting initial credentials for ttes...@example.my [27242] 1456447025.222070: Sending request (164 bytes) to EXAMPLE.MY [27242] 1456447025.23: Resolving hostname node1.example.my [27242] 1456447035.238004: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.238675: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447035.241248: Received answer (337 bytes) from stream 192.168.38.2:88 [27242] 1456447035.241257: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447035.241377: Response was from master KDC [27242] 1456447035.241437: Received error from KDC: -1765328359/Additional pre-authentication required [27242] 1456447035.241484: Processing preauth types: 136, 19, 2, 133 [27242] 1456447035.241499: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447035.241504: Received cookie: MIT Password for ttes...@example.my: [27242] 1456447062.215750: AS key obtained for encrypted timestamp: aes256-cts/73C6 [27242] 1456447062.215815: Encrypted timestamp (for 1456447062.215315): plain 301AA011180F32303136303232363030333734325AA1050203034913, encrypted F9A2E97E916FC14D141690E151A25DCC00168361179C7F0ACDA94C7F58F3D50429780A5608A6B8623E355F2A5BD676F6FA5272D38FD05C8B [27242] 1456447062.215942: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [27242] 1456447062.215948: Produced preauth for next request: 133, 2 [27242] 1456447062.215965: Sending request (257 bytes) to EXAMPLE.MY [27242] 1456447062.216010: Resolving hostname node1.example.my [27242] 1456447072.229254: Initiating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.229655: Sending TCP request to stream 192.168.38.2:88 [27242] 1456447072.236955: Received answer (722 bytes) from stream 192.168.38.2:88 [27242] 1456447072.236974: Terminating TCP connection to stream 192.168.38.2:88 [27242] 1456447072.237080: Response was from master KDC [27242] 1456447072.237117: Processing preauth types: 19 [27242] 1456447072.237125: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27242] 1456447072.237131: Produced preauth for next request: (empty) [27242] 1456447072.237140: AS key determined by preauth: aes256-cts/73C6 [27242] 1456447072.237199: Decrypted AS reply; session key is: aes256-cts/2A71 [27242] 1456447072.237216: FAST negotiation: available [27242] 1456447072.237236: Initializing KEYRING:persistent:1000:1000 with default princ ttes...@example.my [27242] 1456447072.237275: Storing ttes...@example.my -> krbtgt/example...@example.my in KEYRING:persistent:1000:1000 [27242] 1456447072.237330: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: fast_avail: yes [27242] 1456447072.237345: Storing ttes...@example.my -> krb5_ccache_conf_data/fast_avail/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 [27242] 1456447072.237371: Storing config in KEYRING:persistent:1000:1000 for krbtgt/example...@example.my: pa_type: 2 [27242] 1456447072.237380: Storing ttes...@example.my -> krb5_ccache_conf_data/pa_type/krbtgt\/EXAMPLE.MY\@EXAMPLE.MY@X-CACHECONF: in KEYRING:persistent:1000:1000 *2. KRB5_TRACE=/dev/stderr kinit -kt keytab ttes...@example.my* [27248] 1456447236.144685: Getting initial credentials for ttes...@example.my [27248] 1456447236.147107: Looked up etypes in keytab: aes256-cts [27248] 1456447236.147255: Sending request (164 bytes) to EXAMPLE.MY [27248] 1456447236.147381: Resolving hostname node1.example.my [27248] 1456447246.161528: Initiating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.161970: Sending TCP request to stream 192.168.38.2:88 [27248] 1456447246.164772: Received answer (337 bytes) from stream 192.168.38.2:88 [27248] 1456447246.164791: Terminating TCP connection to stream 192.168.38.2:88 [27248] 1456447246.164904: Response was from master KDC [27248] 1456447246.164943: Received error from KDC: -1765328359/Additional pre-authentication required [27248] 1456447246.164987: Processing preauth types: 136, 19, 2, 133 [27248] 1456447246.164997: Selected etype info: etype aes256-cts, salt "s`GD^,#=cA:Vr9hD", params "" [27248] 1456447246.165001: Received cookie: MIT [27248]