.kinit: Preauthentication failed while getting initial credentials

Thomas Beaudry thomas.beaudry at concordia.ca
Thu Oct 27 11:23:35 EDT 2016


Hi Todd,


Thanks I tried enabling the AES256? checkbox but that didn't fix the problem. Also, I checked other users and they don't have that checkbox clicked - so it isn't the issue.


Any more thoughts as to what could be causing this 1 user to not be able to use a keytab?


Thanks,

Thomas

________________________________
From: Todd Grayson <tgrayson at cloudera.com>
Sent: Wednesday, October 26, 2016 4:20 PM
To: Thomas Beaudry
Cc: kerberos at mit.edu
Subject: Re: .kinit: Preauthentication failed while getting initial credentials

No, in that case, forget the kvno, it is not going to come out correctly that way.

Its for when you export the keytab from the KDC, in AD contexts like you are describing it becomes a invalid data point.

On AD, verify the entry in the ad users and computers gui, set the user entry to allow AES-256 and change the password for the user so you have a valid representation of the password on the AD side for your keytab's AES256.  if you right click on the users and go into properties its a selection list of checkboxes in one of the tabs in the gui for the user entry edit.

That or dont pick aes256 for what you are setting up on the keytab, depending on the AD version you might have issues (e.g. if ad 2003 was in use)



On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <thomas.beaudry at concordia.ca<mailto:thomas.beaudry at concordia.ca>> wrote:

Hi Todd,


?Thanks for answering.   It's a windows AD.  I'm using ktutil to create the keytab:  ?


addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96?


I'll look into the kvno.


Thomas


________________________________
From: Todd Grayson <tgrayson at cloudera.com<mailto:tgrayson at cloudera.com>>
Sent: Wednesday, October 26, 2016 2:48 PM
To: Thomas Beaudry
Cc: kerberos at mit.edu<mailto:kerberos at mit.edu>
Subject: Re: .kinit: Preauthentication failed while getting initial credentials

Is the KDC MIT? AD?  Assuming MIT KDC:

use the kvno command to evaluate what the KDC thinks is current, vs klist -kte .perform-admin.keytab

Verify the kvno (key version number) matches up from the keytab to what the kdc states is the current version.  Kinit as a working user first from the cli, then attempt the kvno against the principal associated with the keytab that is failing.

what is the command line you are using to export keytabs, the default behavior is to randomize the key each export unless you specifically tell it not to with -norandkey

http://krbdev.mit.edu/rt/Ticket/History.html?id=914

use -norandkey when exporting a keytab to prevent the key from being changed...

On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <thomas.beaudry at concordia.ca<mailto:thomas.beaudry at concordia.ca>> wrote:
Hi Everyone,


I am running into a strange problem.  I can not get a kerberos ticket when using a keytab, but for 1 specific user only:


This is the command i use:


> kinit perform-admin -kt .perform-admin.keytab

kinit: Preauthentication failed while getting initial credentials


Now if I do:

?kinit

then i get prompted for a password, and then a ticket is created.


Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails.  I have also tried creating new keytabs for this user but it still fails.  I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..

Any thoughts?

Thanks!
Thomas Beaudry
________________________________________________
Kerberos mailing list           Kerberos at mit.edu<mailto:Kerberos at mit.edu>
https://mailman.mit.edu/mailman/listinfo/kerberos



--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]



--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]


More information about the Kerberos mailing list