Windows 2008R2 USER/root preauthentication failure

[Benjamin Kaduk]

On Thu, 26 Sep 2013, David Thompson wrote:

>
> I have a working kerberos environment, with Windows 2008R2 acting as
> KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
>
> I am trying to add ksu ability, with principals of the form USER/root,
> and cannot authenticate those principals.
>
> I have successfully created a test /root principal and attached it to an
> existing AD account on the AD server:
>
> PS Z:\> ktpass -princ dt/root at KECK.WAISMAN.WISC.EDU /ptype
> KRB5_NT_PRINCIPAL /pass * /mapuser dt /crypto all
> Targeting domain controller: Santaka.keck.waisman.wisc.edu
> Using legacy password setting method
> Successfully mapped dt/root to dt.
> Type the password for dt/root:
> Type the password again to confirm:
> Key created.
> Key created.
> Key created.
> Key created.
> Key created.
>
> But, back on the linux client, I can't kinit with that principal:
>
> %kinit dt/root
> Password for dt/root at KECK.WAISMAN.WISC.EDU:
> kinit: Preauthentication failed while getting initial credentials
>
> If I turn off "preauth required" on the server, the error switches to
> "wrong password."  However, I am using the same password on the client
> and server.  All 1-part user principals authenticate fine.  I've tried
> many enctypes (including RC4-HMAC); all have failed.
>
> Does Anyone have any suggestions (short of switching to an MIT KDC :) )
> on how to proceed?  Thanks much,

The remarks at 
http://technet.microsoft.com/en-us/library/cc782155(v=ws.10).aspx "Ktpass 
Remarks" make me wonder if ktpass is supposed to work the way you are 
trying to use it.  For instance, what happens when you type the 'dt' 
user's password at the 'kinit dt/root' password prompt?

The unix utility which is a rough analog of ktpass (ktutil) does not do 
any verification of the password, it just applies the string-to-key 
operations; I would not be terribly surprised if ktpass.exe was doing the 
same sort of thing.

-Ben Kaduk