freeipa and kerberos failures
Todd Grayson
tgrayson at cloudera.com
Tue Jan 16 12:01:42 EST 2018
Didn't see the original thread... but guessing as to the issue;
IPA w. ipaclient uses aes256-cts-sha-96 with random salt to encrypt session
keys and principals keytabs.
Things that generate a keytab using ktutil for example will fail, it does
not take the random salt string as part of the 'addent' call so this
creates issues.
If IPAclient is in use then the ipa-getkeytab must be used.
On Tue, Jan 16, 2018 at 9:20 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 01/10/2018 11:03 AM, lejeczek wrote:> krb5kdc[606061](info): preauth
> (encrypted_timestamp) verify
> > failure: Preauthentication failed
>
> One would normally see this error if the wrong key or password was used
> to authenticate. So there might be a mismatch between the keytab file
> on the initiating host and the KDC. As I am not familiar with FreeIPA
> (only Kerberos), I don't know how that might have come about.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list