using keytab with preauth and ldap alias canonicalization
ghudson at mit.edu
Mon Oct 4 00:06:33 EDT 2021
On 10/3/21 4:37 PM, Chris Hecker wrote:
> I get "kinit.exe: Preauthentication failed while getting initial
> credentials" the kdc says "preauth (encrypted_timestamp) verify
> failure: Preauthentication failed" in the log file. I've tried creating
> the keytab with my code and with ktutil.
krb5 1.17 added a -f flag to ktutil addent, which fetches the correct
etype-info from the KDC using an unauthenticated AS-REQ. It also adds a
corresponding API krb5_get_etype_info(). Without this feature you must
specify the canonical principal name, or you will use the wrong salt and
produce the wrong key for the keytab.
More information about the krbdev