kinit without dns
Michael B Allen
ioplex at gmail.com
Wed Jan 24 16:09:19 EST 2024
On Wed, Jan 24, 2024 at 3:34 PM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
> You MIGHT be better served by turning on Kerberos tracing to see what the
> library is doing. Prefixing that kinit with:
>
> env KRB5_TRACE=/dev/stdout
>
> would be useful.
Hi Ken,
Indeed. Unfortunately my stock packages on CentOS 9 Stream are 1.21
but the KRB5_TRACE feature was introduced in 1.9.
At any rate, of course I figured out the problem right after posting this ...
Even though the following AD account attribute was set to:
msDS-SupportedEncryptionTypes: 0x8 (AES128_CTS_HMAC_SHA1_96)
apparently this is not applicable to getting a TGT.
I noticed the AP-REQ KRB5KDC_ERR_PREAUTH_REQUIRED PA-DATA listed
AES256 as the etype.
My keytab only had an AES128 key.
Changing the key to AES256 fixed the issue and kinit now runs
successfully (without modifying DNS since dc1.gogo.loco is listed in
router DNS proxy local tables).
^^^TLDR
So I guess the "Invalid argument" was that there was no key matching
the desired etype.
It probably didn't help that there was obviously an AES256 key on the
account and it's only because I'm screwing around with that
msDS-SupportedEncryptionTypes attr trying to pin AES128 that I'm
dancing outside the lines of sanity at this point.
Really glad to see KRB5_TRACE was added.
Thanks for your support.
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
More information about the Kerberos
mailing list