kadmin problem

scotty adams scotty.adams at yahoo.com
Sat Feb 17 01:20:19 EST 2007


Hi Marcus,

it seems that i can't even kinit over scotty

bash-2.05# kinit scotty
Password for scotty at SCOTTIE.COMPANY.COM: 
kinit: Preauthentication failed while getting initial credentials

same error as that of kadmin

How can i turn off REQUIRES_PRE_AUTH on the principal?

Thanks,
Scotty


Marcus Watts <mdw at umich.edu> wrote: scotty adams  writes:
> Hi,
> 
> This is what i am getting after all
> 
> bash-2.05# kadmin scotty
> Enter Password:
> Enter Password:
> kadmin: Preauthentication failed while initializing kadmin interface
> 
> kdc.log shows:
> 
> Feb 12 12:54:10 scotty krb5kdc[14905](info): AS_REQ 192.168.1.12(88): PREAUTH_FAILED: scotty/admin at SCOTTIE.COMPANY.COM for kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM, Preauthentication failed
> 
> Any help on this ... appreciated
> 
> Thanks,
> scotty
> 
> scotty adams  wrote: I tried the following:
> 
> bash-2.05# kadmin -p kadmin/scottie.company.com
> Enter Password:
> kadmin: Incorrect password while initializing kadmin interface
> 
> even the password that i used is surely correct!!!
> 
> Please point me out to these two errors.
> 
> Regards,
> Scotty

"Preauthentication failed" probably doesn't mean your password
is incorrect.  At least, in my test environment, I get
"Incorrect password" if I botch the password with preauth turned on.
The first thing I would look at with that is to see if
time is sync'd up.  The 2nd thing I'd try is to see if it works
if REQUIRES_PRE_AUTH is turned off on the principal.

When you're getting messages like these--"preauth failed" or "bad pw",
that's not a kadm5 problem, that's a krb5 problem.  You can separate
out and simplify your problem by trying kinit and kvno first.
When you get those to work, then you can fool around with kadmin.

For these experiments, you may need to set password or examine
what's in the kdb.  On your kdc, as root, run
 kadmin.local
then you can do things like
 getprinc
 listprincs
 cpw
 xst
etc.  Use all but the last liberally.  Use the last only when you
intend to replace a keytab that you are convinced is broken.

Below, see scotty.scottie.company.com .  Use what you really
have - is that really your admin_server host?
If that is, you should probably have something like:
 [libdefaults]
  default_realm = SCOTTIE.COMPANY.COM
 [realms]
  SCOTTIE.COMPANY.COM = {
   kdc = scotty.scottie.company.com:88
   master_kdc = scotty.scottie.company.com:88
   admin_server =  scotty.scottie.company.com:749
  }
 [domain_realms]
  .navlink.com = SCOTTIE.COMPANY.COM
in your krb5.conf file, plus at least a local dns environment
where a lookup of scotty.scottie.company.com goes to the right thing,
and a reverse arpa lookup of the ipaddress also points back
at the same name.

So, the commands you should get working are
(client machine):
 ping -s scotty.scottie.company.com
 ^C
 kinit scotty at SCOTTIE.COMPANY.COM
 kinit scotty/admin at SCOTTIE.COMPANY.COM
 kvno kadmin/scotty.scottie.company.com at SCOTTIE.COMPANY.COM
?? kvno kadmin/scottie.beirut.company.com@@SCOTTIE.COMPANY.COM
 klist -fean
(on the kdc):
 cd (wherever you keey kadm5.keytab, which might be named in kdc.conf):
 klist -ket kadm5.keytab
 kinit -kt kadm5.keytab kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM
 klist -fean
 kadmin.local
 getprinc kadmin/scotty.scottie.navlink.com at SCOTTIE.COMPANY.COM
?? getprinc kadmin/scottie.beirut.navlink.com at SCOTTIE.COMPANY.COM
 getprinc scotty at SCOTTIE.COMPANY.COM
 getprinc scotty/admin at SCOTTIE.COMPANY.COM

the ping proves dns & network routing work; check the ip address.
the 1st 2 kinit's prove you can authenticate.
the kvno proves you can get a service ticket
The kdc kinit proves that you have a working keytab on that
machine.  Note various etypes & kvno's in output: make sure they're
consistent.

If you can't get the kinit commands to work, you can look
at the actual network traffic to see what is really going on.
Check out
http://lists.openafs.org/pipermail/openafs-info/2006-March/021789.html
You may also be able to use ethereal, see http://www.ethereal.com/
a solaris 9 package might be here:
http://www.sunfreeware.com/programlistintel9.html

     -Marcus Watts
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


 
---------------------------------
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.


More information about the Kerberos mailing list