Windows 2008R2 USER/root preauthentication failure
David Thompson
dthompson at waisman.wisc.edu
Thu Sep 26 16:55:15 EDT 2013
I have a working kerberos environment, with Windows 2008R2 acting as
KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
I am trying to add ksu ability, with principals of the form USER/root,
and cannot authenticate those principals.
I have successfully created a test /root principal and attached it to an
existing AD account on the AD server:
PS Z:\> ktpass -princ dt/root at KECK.WAISMAN.WISC.EDU /ptype
KRB5_NT_PRINCIPAL /pass * /mapuser dt /crypto all
Targeting domain controller: Santaka.keck.waisman.wisc.edu
Using legacy password setting method
Successfully mapped dt/root to dt.
Type the password for dt/root:
Type the password again to confirm:
Key created.
Key created.
Key created.
Key created.
Key created.
But, back on the linux client, I can't kinit with that principal:
%kinit dt/root
Password for dt/root at KECK.WAISMAN.WISC.EDU:
kinit: Preauthentication failed while getting initial credentials
If I turn off "preauth required" on the server, the error switches to
"wrong password." However, I am using the same password on the client
and server. All 1-part user principals authenticate fine. I've tried
many enctypes (including RC4-HMAC); all have failed.
Does Anyone have any suggestions (short of switching to an MIT KDC :) )
on how to proceed? Thanks much,
--
David Thompson
Waisman Center Brain Imaging and Behavior Lab
1500 Highland Ave. Room T133
Madison, WI 53705-2280
(608) 265-6608
dthompson (at) waisman (dot) wisc (dot) edu
More information about the Kerberos
mailing list