using keytab with preauth and ldap alias canonicalization

Greg Hudson ghudson at
Mon Oct 4 00:06:33 EDT 2021

On 10/3/21 4:37 PM, Chris Hecker wrote:
> I get "kinit.exe: Preauthentication failed while getting initial 
> credentials"  the kdc says "preauth (encrypted_timestamp) verify 
> failure: Preauthentication failed" in the log file.  I've tried creating 
> the keytab with my code and with ktutil.

krb5 1.17 added a -f flag to ktutil addent, which fetches the correct
etype-info from the KDC using an unauthenticated AS-REQ.  It also adds a
corresponding API krb5_get_etype_info().  Without this feature you must
specify the canonical principal name, or you will use the wrong salt and
produce the wrong key for the keytab.

More information about the krbdev mailing list