krenew: error renewing credentials: KDC returned error string: NO PREAUTH

marcus.nilsson@pulsen.se marcus.nilsson at pulsen.se
Sat Aug 1 03:45:37 EDT 2009 

Hi list,
I'm running MIT Kerberos KDC version 1.7dfsg~beta3-1 on Debian squeeze/sid.

I'm not able to renew TGT's:

mani at irit:~$ klist
Ticket cache: FILE:/tmp/krb5cc_502_jLNe7k
Default principal: mani at MERA.NU

Valid starting     Expires            Service principal
08/01/09 09:25:00  08/01/09 19:25:00  krbtgt/MERA.NU at MERA.NU
 renew until 08/08/09 09:25:00
08/01/09 09:25:01  08/01/09 19:25:00  afs at MERA.NU
 renew until 08/08/09 09:25:00
mani at irit:~$ krenew
krenew: error renewing credentials: KDC returned error string: NO PREAUTH

auth.log:
Aug  1 09:38:07 irit krb5kdc[20495]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
195.198.192.25: NO PREAUTH: authtime 0,  mani at MERA.NU for
krbtgt/MERA.NU at MERA.NU, Generic error (see e-text)
Aug  1 09:38:07 irit krb5kdc[20495]: TGS_REQ (7 etypes {18 17 16 23 1 3 2})
195.198.192.25: NO PREAUTH: authtime 0,  mani at MERA.NU for
krbtgt/MERA.NU at MERA.NU, Generic error (see e-text)


kadmin:  getprinc mani
Principal: mani at MERA.NU
Expiration date: [never]
Last password change: Wed Feb 18 22:20:03 CET 2009
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Feb 18 22:20:03 CET 2009 (kadmind at MERA.NU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 5, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 5, ArcFour with HMAC/md5, no salt
Key: vno 5, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 5, DES cbc mode with CRC-32, no salt
Key: vno 5, DES cbc mode with RSA-MD5, Version 4
Key: vno 5, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 5, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 5, DES cbc mode with RSA-MD5, AFS version 3
MKey: vno 1
Attributes:
Policy: [none]


/etc/krb5kdc/kdc.conf:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    MERA.NU = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal
        des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4
        des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth,+forwardable,+renewable
    }


/etc/krb5.conf:

[libdefaults]
 default_realm = MERA.NU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 renew_lifetime = 36000
 forwardable = true

[realms]
 MERA.NU = {
  kdc = 195.198.192.25
  admin_server = 195.198.192.25
  default_domain = mera.nu
 }

[domain_realm]
 .mera.nu = MERA.NU

[appdefaults]
  pam = {
     ticket_lifetime = 24h
     renew_lifetime = 8760h
     forwardable = true
     krb4_convert = true
   }


Any help appreciated!

Thanks / Marcus

More information about the Kerberos mailing list