Windows 2008R2 USER/root preauthentication failure
David Thompson
dthompson at waisman.wisc.edu
Fri Sep 27 09:51:03 EDT 2013
On 9/26/13 9:45 PM, Benjamin Kaduk wrote:
>> I have a working kerberos environment, with Windows 2008R2 acting as
>> KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
>>
>> I am trying to add ksu ability, with principals of the form USER/root,
>> and cannot authenticate those principals.
>>
>
> The remarks at
> http://technet.microsoft.com/en-us/library/cc782155(v=ws.10).aspx
> "Ktpass Remarks" make me wonder if ktpass is supposed to work the way
> you are trying to use it. For instance, what happens when you type the
> 'dt' user's password at the 'kinit dt/root' password prompt?
Same thing. Preauth failure if I have preauth enabled; otherwise
password incorrect.
Thanks for the link. There is an abundance of documentation on the web
for creating multipart service principals, and I've used that
successfully. In general, you use ktpass to attach as additional krb5
multipart principal to an existing AD object (usually a host, but I
don't believe there would be any impediment to attaching a service
principal to any AD object), and optionally write out a keytab. I have
not been able to find any help creating multi-part *user* principals
(KRB5_NT_PRINCIPAL), so I thought I'd try here and see if there were any
Windows krb5 admins that know the secret sauce.
> The unix utility which is a rough analog of ktpass (ktutil) does not do
> any verification of the password, it just applies the string-to-key
> operations; I would not be terribly surprised if ktpass.exe was doing
> the same sort of thing.
What else (besides the matching key) would be needed for kinit to obtain
a tgt for the principal in question?
In the network trace (without preauth), I'm getting an AS-REQ followed
by the AS-REP from the server, with the right principal names
everywhere. The AS_REP has as salt the realm (KECK.WAISMAN.WISC.EDU)
and it looks like it might be appending "dtroot" onto the end. I saw
some discussion on this list about the salt being important, but it's
there in plain text in the AS-REP, so it seems like kinit should be able
to deal with whatever salt the KDC wants to give it (right?). Of
course, I'd like to run with preauth, but apparently the MIT kinit and
the win KDC aren't playing nicely (or the AS-REP is just borken).
In the preauth case, kinit still sends the AS-REQ before getting the
password, which the KDC rejects with 'preauth required.' After the
password is entered, the reply to the subsequent AS-REQ is KRB-ERROR
(KRB5KDC_ERR_PREAUTH_FAILED). Either the KDC is looking for some kind
of preauth that kinit isn't providing, or this is actually a
manifestation of the failure in the no-preauth case.
Anyway, looks like I'm stymied on this one. Thanks for the reply.
Anyone else have any ideas?
--
David Thompson
Waisman Center Brain Imaging and Behavior Lab
1500 Highland Ave. Room T133
Madison, WI 53705-2280
(608) 265-6608
dthompson (at) waisman (dot) wisc (dot) edu
More information about the Kerberos
mailing list