using keytab with preauth and ldap alias canonicalization
checker at d6.com
Sun Oct 3 16:37:49 EDT 2021
I can't seem to get canonicalization working with preauth and a keytab.
It works fine if I do:
kinit -C checkersp
this canonicalizes to checker and issues a tgt. checkersp and checker
are princs in the ldap entry, and checker is the canonical.
However, in both my code and in kinit, both an old version and 1.15.1,
if I do this:
kinit -C -k -t checkersp.keytab checkersp
I get "kinit.exe: Preauthentication failed while getting initial
credentials" the kdc says "preauth (encrypted_timestamp) verify
failure: Preauthentication failed" in the log file. I've tried creating
the keytab with my code and with ktutil.
Before I go deep debugging trying to figure out what's going on, is
there some known thing with keytabs and canonicalization when preauth is
on I should know about? I'm kind of counting on this path working for a
feature I want to add. I'm wondering if this has something to do with
the keytab being created with the checkersp alias, but when the preauth
comes back, it wants the canonical checker key...but I haven't looked at
all and don't know how that loop works yet.
More information about the krbdev