.kinit: Preauthentication failed while getting initial credentials

Todd Grayson tgrayson at cloudera.com
Wed Oct 26 16:20:57 EDT 2016 

No, in that case, forget the kvno, it is not going to come out correctly
that way.

Its for when you export the keytab from the KDC, in AD contexts like you
are describing it becomes a invalid data point.

On AD, verify the entry in the ad users and computers gui, set the user
entry to allow AES-256 and change the password for the user so you have a
valid representation of the password on the AD side for your keytab's
AES256.  if you right click on the users and go into properties its a
selection list of checkboxes in one of the tabs in the gui for the user
entry edit.

That or dont pick aes256 for what you are setting up on the keytab,
depending on the AD version you might have issues (e.g. if ad 2003 was in
use)



On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
thomas.beaudry at concordia.ca> wrote:

> Hi Todd,
>
>
> ​Thanks for answering.   It's a windows AD.  I'm using ktutil to create
> the keytab:  ​
>
>
> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>
>
> I'll look into the kvno.
>
>
> Thomas
>
>
> ------------------------------
> *From:* Todd Grayson <tgrayson at cloudera.com>
> *Sent:* Wednesday, October 26, 2016 2:48 PM
> *To:* Thomas Beaudry
> *Cc:* kerberos at mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> Is the KDC MIT? AD?  Assuming MIT KDC:
>
> use the kvno command to evaluate what the KDC thinks is current, vs klist
> -kte .perform-admin.keytab
>
> Verify the kvno (key version number) matches up from the keytab to what
> the kdc states is the current version.  Kinit as a working user first from
> the cli, then attempt the kvno against the principal associated with the
> keytab that is failing.
>
> what is the command line you are using to export keytabs, the default
> behavior is to randomize the key each export unless you specifically tell
> it not to with -norandkey
>
> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>
> use -norandkey when exporting a keytab to prevent the key from being
> changed...
>
> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
> thomas.beaudry at concordia.ca> wrote:
>
>> Hi Everyone,
>>
>>
>> I am running into a strange problem.  I can not get a kerberos ticket
>> when using a keytab, but for 1 specific user only:
>>
>>
>> This is the command i use:
>>
>>
>> > kinit perform-admin -kt .perform-admin.keytab
>>
>> kinit: Preauthentication failed while getting initial credentials
>>
>>
>> Now if I do:
>>
>> ?kinit
>>
>> then i get prompted for a password, and then a ticket is created.
>>
>>
>> Like i said i can use a keytab for every other user and it does work, it
>> is only for this 1 specific user that it fails.  I have also tried creating
>> new keytabs for this user but it still fails.  I don't know if I have this
>> problem because it's the same user that I used to join the REALM in the
>> first place..
>>
>> Any thoughts?
>>
>> Thanks!
>> Thomas Beaudry
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

More information about the Kerberos mailing list