.kinit: Preauthentication failed while getting initial credentials

Todd Grayson tgrayson at cloudera.com
Thu Oct 27 11:59:23 EDT 2016


Generally that is indicating the password is wrong or the key type is
failing from my experience, perhaps other folks can comment.    To
troubleshoot this you would review and apply the content from these things.

So be clear. You have
1) set the 256 Permit AES-256 key type checkbox on that entry
2) CHANGED (not set the same value) the password on AD
3) re-run your ktutil to set the new password and enctype to your keytab
you are creating

If that is true then I would test with adding additional weaker encryption
types to the keytab as well (RC4-HMAC/arcfour-hmac-md5), avoid using des.

If that is what has been done then you'll need to start troubleshooting on
the client and AD side, these discuss how to troubleshoot what is failing
when you attempt kerberos auth.


MIT Kerberos Documentation: Troubleshooting
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/troubleshoot.html


How to enable Kerberos event logging
https://support.microsoft.com/en-us/kb/262177

On Thu, Oct 27, 2016 at 9:37 AM, Thomas Beaudry <thomas.beaudry at concordia.ca
> wrote:

> Hi Todd,
>
>
> Yes i changed the password.  Still the same problem.
>
>
> thanks!
>
> Thomas
> ------------------------------
> *From:* Todd Grayson <tgrayson at cloudera.com>
> *Sent:* Thursday, October 27, 2016 11:25 AM
>
> *To:* Thomas Beaudry
> *Cc:* kerberos at mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> you have to change the password after setting the checkbox.... was that
> done?
>
> On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry <
> thomas.beaudry at concordia.ca> wrote:
>
>> Hi Todd,
>>
>>
>> Thanks I tried enabling the AES256​ checkbox but that didn't fix the
>> problem. Also, I checked other users and they don't have that checkbox
>> clicked - so it isn't the issue.
>>
>>
>> Any more thoughts as to what could be causing this 1 user to not be able
>> to use a keytab?
>>
>>
>> Thanks,
>>
>> Thomas
>> ------------------------------
>> *From:* Todd Grayson <tgrayson at cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 4:20 PM
>>
>> *To:* Thomas Beaudry
>> *Cc:* kerberos at mit.edu
>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>> credentials
>>
>> No, in that case, forget the kvno, it is not going to come out correctly
>> that way.
>>
>> Its for when you export the keytab from the KDC, in AD contexts like you
>> are describing it becomes a invalid data point.
>>
>> On AD, verify the entry in the ad users and computers gui, set the user
>> entry to allow AES-256 and change the password for the user so you have a
>> valid representation of the password on the AD side for your keytab's
>> AES256.  if you right click on the users and go into properties its a
>> selection list of checkboxes in one of the tabs in the gui for the user
>> entry edit.
>>
>> That or dont pick aes256 for what you are setting up on the keytab,
>> depending on the AD version you might have issues (e.g. if ad 2003 was in
>> use)
>>
>>
>>
>> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
>> thomas.beaudry at concordia.ca> wrote:
>>
>>> Hi Todd,
>>>
>>>
>>> ​Thanks for answering.   It's a windows AD.  I'm using ktutil to create
>>> the keytab:  ​
>>>
>>>
>>> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>>>
>>>
>>> I'll look into the kvno.
>>>
>>>
>>> Thomas
>>>
>>>
>>> ------------------------------
>>> *From:* Todd Grayson <tgrayson at cloudera.com>
>>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>>> *To:* Thomas Beaudry
>>> *Cc:* kerberos at mit.edu
>>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>>> credentials
>>>
>>> Is the KDC MIT? AD?  Assuming MIT KDC:
>>>
>>> use the kvno command to evaluate what the KDC thinks is current, vs
>>> klist -kte .perform-admin.keytab
>>>
>>> Verify the kvno (key version number) matches up from the keytab to what
>>> the kdc states is the current version.  Kinit as a working user first from
>>> the cli, then attempt the kvno against the principal associated with the
>>> keytab that is failing.
>>>
>>> what is the command line you are using to export keytabs, the default
>>> behavior is to randomize the key each export unless you specifically tell
>>> it not to with -norandkey
>>>
>>> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>>>
>>> use -norandkey when exporting a keytab to prevent the key from being
>>> changed...
>>>
>>> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
>>> thomas.beaudry at concordia.ca> wrote:
>>>
>>>> Hi Everyone,
>>>>
>>>>
>>>> I am running into a strange problem.  I can not get a kerberos ticket
>>>> when using a keytab, but for 1 specific user only:
>>>>
>>>>
>>>> This is the command i use:
>>>>
>>>>
>>>> > kinit perform-admin -kt .perform-admin.keytab
>>>>
>>>> kinit: Preauthentication failed while getting initial credentials
>>>>
>>>>
>>>> Now if I do:
>>>>
>>>> ?kinit
>>>>
>>>> then i get prompted for a password, and then a ticket is created.
>>>>
>>>>
>>>> Like i said i can use a keytab for every other user and it does work,
>>>> it is only for this 1 specific user that it fails.  I have also tried
>>>> creating new keytabs for this user but it still fails.  I don't know if I
>>>> have this problem because it's the same user that I used to join the REALM
>>>> in the first place..
>>>>
>>>> Any thoughts?
>>>>
>>>> Thanks!
>>>> Thomas Beaudry
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>>
>>>
>>> --
>>> Todd Grayson
>>> Business Operations Manager
>>> Customer Operations Engineering
>>> Security SME
>>>
>>>
>>
>>
>> --
>> Todd Grayson
>> Business Operations Manager
>> Customer Operations Engineering
>> Security SME
>>
>>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME


More information about the Kerberos mailing list