using keytab with preauth and ldap alias canonicalization

Chris Hecker checker at
Sun Oct 3 16:37:49 EDT 2021

I can't seem to get canonicalization working with preauth and a keytab.  
It works fine if I do:

kinit -C checkersp

this canonicalizes to checker and issues a tgt.  checkersp and checker 
are princs in the ldap entry, and checker is the canonical.

However, in both my code and in kinit, both an old version and 1.15.1, 
if I do this:

kinit -C -k -t checkersp.keytab checkersp

I get "kinit.exe: Preauthentication failed while getting initial 
credentials"  the kdc says "preauth (encrypted_timestamp) verify 
failure: Preauthentication failed" in the log file.  I've tried creating 
the keytab with my code and with ktutil.

Before I go deep debugging trying to figure out what's going on, is 
there some known thing with keytabs and canonicalization when preauth is 
on I should know about?  I'm kind of counting on this path working for a 
feature I want to add.  I'm wondering if this has something to do with 
the keytab being created with the checkersp alias, but when the preauth 
comes back, it wants the canonical checker key...but I haven't looked at 
all and don't know how that loop works yet.


More information about the krbdev mailing list