kinit request on keytab fails using 2K3sp1 KDC

David Telfer david at
Wed Mar 22 12:08:47 EST 2006


I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to 
configuring mod_auth_kerb.  I have used the following command to 
generate a keytab on the KDC;
ktpass -mapuser intsvcuser at -princ 
HTTP/ at SMG.PLC.UK +DesOnly -pass userspassword -ptype 
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3.  I have 
transfered the keytab to /etc/krb5.keytab.  When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab 

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit 
DavidTelfer at SMG.PLC.UK which would indicate that the problem wasn't a 
clock slew error (I haven't seen an error of this nature appear with 
this version of krb so I'm not sure whether it would explicitly state this).

 From reading a few mailing list posts I have discovered some people 
having issues with ktpass on service pack 1.  One such post;
details a similar problem  I have followed the advice given, ensuring 
that the kvno's match and changing the system users password prior to 
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential 
entry to ensure that it isn't the issue);

        default_realm = SMG.PLC.UK
[domain_realm] = SMG.PLC.UK
        SMG.PLC.UK = {
                kdc =
                admin_server =
                default_domain =

Has anyone experienced a similar problem to this?  I have to assume 
there is a problem with the keytab but I'm at a loss as to what the 
problem could be.

David Telfer
david at

More information about the Kerberos mailing list