using keytab with preauth and ldap alias canonicalization

Chris Hecker checker at
Mon Oct 4 00:28:09 EDT 2021

Wait, so to be clear, at the time when I create the keytab I don't know 
if the princ is canonical or not.  So I need to use that new API on each 
princ after the user enters it, and use that to create the keytab?

Is there a way to do this with the API before 1.17 or do I need to 
update everything?  Is this only on the client, or does the KDC need to 
be 1.17 as well?


------ Original Message ------
From: "Greg Hudson" <ghudson at>
To: "Chris Hecker" <checker at>; "krbdev at" <krbdev at>
Sent: 2021-10-03 21:06:33
Subject: Re: using keytab with preauth and ldap alias canonicalization

>On 10/3/21 4:37 PM, Chris Hecker wrote:
>>  I get "kinit.exe: Preauthentication failed while getting initial
>>  credentials"  the kdc says "preauth (encrypted_timestamp) verify
>>  failure: Preauthentication failed" in the log file.  I've tried creating
>>  the keytab with my code and with ktutil.
>krb5 1.17 added a -f flag to ktutil addent, which fetches the correct
>etype-info from the KDC using an unauthenticated AS-REQ.  It also adds a
>corresponding API krb5_get_etype_info().  Without this feature you must
>specify the canonical principal name, or you will use the wrong salt and
>produce the wrong key for the keytab.

More information about the krbdev mailing list