kinit without dns

Michael B Allen ioplex at gmail.com
Wed Jan 24 19:37:15 EST 2024 

On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman <hartmans at debian.org> wrote:
>
> >>>>> "Michael" == Michael B Allen <ioplex at gmail.com> writes:
>
>     Michael> Hi Ken,
>
>     Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
>     Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9.
>
> Last time I checked, 1.21 > 1.9.

Good point and, after some fiddling, it does indeed work and would
have revealed the issue:

$ KRB5_TRACE=trace.txt kinit -k -t java31.keytab 'java31$@GOGO.LOCO'
kinit: Pre-authentication failed: Invalid argument while getting
initial credentials
$ cat trace.txt
850878: Matching java31$@GOGO.LOCO in collection with result: 0/Success
850879: Getting initial credentials for java31$@GOGO.LOCO
850880: Found entries for java31$@GOGO.LOCO in keytab: aes128-cts
850882: Sending unauthenticated request
850883: Sending request (189 bytes) to GOGO.LOCO
850884: Resolving hostname dc1.gogo.loco
850885: Sending initial UDP request to dgram 10.11.12.22:88
850886: Received answer (185 bytes) from dgram 10.11.12.22:88
850887: Response was from primary KDC
850888: Received error from KDC: -1765328359/Additional
pre-authentication required
850891: Preauthenticating using KDC method data
850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
850893: Selected etype info: etype aes256-cts, salt
"GOGO.LOCOhostjava31.gogo.loco", params ""
850894: PKINIT client has no configured identity; giving up
850895: PKINIT client has no configured identity; giving up
850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument
850897: Retrieving java31$@GOGO.LOCO from FILE:java31.keytab (vno 0,
enctype aes256-cts) with result: -1765328203/No key table entry found
for java31$@GOGO.LOCO
850898: Preauth module encrypted_timestamp (2) (real) returned:
-1765328203/No key table entry found for java31$@GOGO.LOCO

Second to last line is pretty clear. Kinit was looking for an
aes256-cts key but the keytab only had an aes128-cts entry.

Mike

-- 
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/

More information about the Kerberos mailing list