.kinit: Preauthentication failed while getting initial credentials

Todd Grayson tgrayson at cloudera.com
Thu Oct 27 17:09:44 EDT 2016


Interesting Tom, We'll review that as well, I've added one of our team
members working with this in field to the discussion as well.

Thomas, what version of Active directory directory are you working with in
your attempts to get this functioning with AES?

On Thu, Oct 27, 2016 at 10:53 AM, Tom Yu <tlyu at mit.edu> wrote:

> Thomas Beaudry <thomas.beaudry at concordia.ca> writes:
>
> > So i got it to work by switch the encryption type.  In case anyone is
> wondering i used:  addent -password -p ${user} -k 1 -e rc4-hmac
>
> It's possible that the problem is related to password salting.  (The RC4
> enctype has no salt, but the AES ones do.)  We've observed that the salt
> for an Active Directory principal is related to the account name rather
> than the principal name, e.g., HOSTNAME$ for a computer account.  (An AD
> account can have multiple Kerberos principal names.)  Without the
> correct salt, the client can't produce the correct password-derived key.
>
> -Tom
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME


More information about the Kerberos mailing list