using keytab with preauth and ldap alias canonicalization
Chris Hecker
checker at d6.com
Mon Oct 4 00:28:09 EDT 2021
Wait, so to be clear, at the time when I create the keytab I don't know
if the princ is canonical or not. So I need to use that new API on each
princ after the user enters it, and use that to create the keytab?
Is there a way to do this with the API before 1.17 or do I need to
update everything? Is this only on the client, or does the KDC need to
be 1.17 as well?
Chris
------ Original Message ------
From: "Greg Hudson" <ghudson at mit.edu>
To: "Chris Hecker" <checker at d6.com>; "krbdev at mit.edu" <krbdev at mit.edu>
Sent: 2021-10-03 21:06:33
Subject: Re: using keytab with preauth and ldap alias canonicalization
>On 10/3/21 4:37 PM, Chris Hecker wrote:
>> I get "kinit.exe: Preauthentication failed while getting initial
>> credentials" the kdc says "preauth (encrypted_timestamp) verify
>> failure: Preauthentication failed" in the log file. I've tried creating
>> the keytab with my code and with ktutil.
>
>krb5 1.17 added a -f flag to ktutil addent, which fetches the correct
>etype-info from the KDC using an unauthenticated AS-REQ. It also adds a
>corresponding API krb5_get_etype_info(). Without this feature you must
>specify the canonical principal name, or you will use the wrong salt and
>produce the wrong key for the keytab.
More information about the krbdev
mailing list