Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
.kinit: Preauthentication failed while getting initial credentials
6,964 views
Skip to first unread message
Thomas Beaudry
Oct 26, 2016, 2:21:42 PM10/26/16
to kerb...@mit.edu
Hi Everyone,
I am running into a strange problem. I can not get a kerberos ticket when using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails. I have also tried creating new keytabs for this user but it still fails. I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
I am running into a strange problem. I can not get a kerberos ticket when using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails. I have also tried creating new keytabs for this user but it still fails. I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
Todd Grayson
Oct 26, 2016, 2:48:40 PM10/26/16
to Thomas Beaudry, kerb...@mit.edu
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist
-kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the
kdc states is the current version. Kinit as a working user first from the
cli, then attempt the kvno against the principal associated with the keytab
that is failing.
what is the command line you are using to export keytabs, the default
behavior is to randomize the key each export unless you specifically tell
it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being
changed...
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
use the kvno command to evaluate what the KDC thinks is current, vs klist
-kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the
kdc states is the current version. Kinit as a working user first from the
cli, then attempt the kvno against the principal associated with the keytab
that is failing.
what is the command line you are using to export keytabs, the default
behavior is to randomize the key each export unless you specifically tell
it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being
changed...
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Thomas Beaudry
Oct 26, 2016, 2:53:16 PM10/26/16
to Todd Grayson, kerb...@mit.edu
Hi Todd,
?Thanks for answering. It's a windows AD. I'm using ktutil to create the keytab: ?
addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96?
I'll look into the kvno.
Thomas
________________________________
From: Todd Grayson <tgra...@cloudera.com>
Sent: Wednesday, October 26, 2016 2:48 PM
To: Thomas Beaudry
Cc: kerb...@mit.edu
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist -kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the kdc states is the current version. Kinit as a working user first from the cli, then attempt the kvno against the principal associated with the keytab that is failing.
what is the command line you are using to export keytabs, the default behavior is to randomize the key each export unless you specifically tell it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being changed...
?Thanks for answering. It's a windows AD. I'm using ktutil to create the keytab: ?
addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96?
I'll look into the kvno.
Thomas
________________________________
From: Todd Grayson <tgra...@cloudera.com>
Sent: Wednesday, October 26, 2016 2:48 PM
To: Thomas Beaudry
Cc: kerb...@mit.edu
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist -kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the kdc states is the current version. Kinit as a working user first from the cli, then attempt the kvno against the principal associated with the keytab that is failing.
what is the command line you are using to export keytabs, the default behavior is to randomize the key each export unless you specifically tell it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being changed...
On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <thomas....@concordia.ca<mailto:thomas....@concordia.ca>> wrote:
Hi Everyone,
I am running into a strange problem. I can not get a kerberos ticket when using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails. I have also tried creating new keytabs for this user but it still fails. I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
________________________________________________
Kerberos mailing list Kerb...@mit.edu<mailto:Kerb...@mit.edu>
Hi Everyone,
I am running into a strange problem. I can not get a kerberos ticket when using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails. I have also tried creating new keytabs for this user but it still fails. I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Todd Grayson
Oct 26, 2016, 4:21:24 PM10/26/16
to Thomas Beaudry, kerb...@mit.edu
No, in that case, forget the kvno, it is not going to come out correctly
that way.
Its for when you export the keytab from the KDC, in AD contexts like you
are describing it becomes a invalid data point.
On AD, verify the entry in the ad users and computers gui, set the user
entry to allow AES-256 and change the password for the user so you have a
valid representation of the password on the AD side for your keytab's
AES256. if you right click on the users and go into properties its a
selection list of checkboxes in one of the tabs in the gui for the user
entry edit.
That or dont pick aes256 for what you are setting up on the keytab,
depending on the AD version you might have issues (e.g. if ad 2003 was in
use)
On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
thomas....@concordia.ca> wrote:
> Hi Todd,
> *From:* Todd Grayson <tgra...@cloudera.com>
> *Sent:* Wednesday, October 26, 2016 2:48 PM
> *To:* Thomas Beaudry
> *Cc:* kerb...@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
that way.
Its for when you export the keytab from the KDC, in AD contexts like you
are describing it becomes a invalid data point.
On AD, verify the entry in the ad users and computers gui, set the user
entry to allow AES-256 and change the password for the user so you have a
valid representation of the password on the AD side for your keytab's
AES256. if you right click on the users and go into properties its a
selection list of checkboxes in one of the tabs in the gui for the user
entry edit.
That or dont pick aes256 for what you are setting up on the keytab,
depending on the AD version you might have issues (e.g. if ad 2003 was in
use)
On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
thomas....@concordia.ca> wrote:
> Hi Todd,
>
>
> ​Thanks for answering. It's a windows AD. I'm using ktutil to create
> the keytab: ​
>
>
>
> ​Thanks for answering. It's a windows AD. I'm using ktutil to create
> the keytab: ​
>
>
> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>
>
>
>
> I'll look into the kvno.
>
>
> Thomas
>
>
> ------------------------------
>
>
> Thomas
>
>
> *From:* Todd Grayson <tgra...@cloudera.com>
> *Sent:* Wednesday, October 26, 2016 2:48 PM
> *To:* Thomas Beaudry
> *Cc:* kerb...@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> Is the KDC MIT? AD? Assuming MIT KDC:
>
> use the kvno command to evaluate what the KDC thinks is current, vs klist
> -kte .perform-admin.keytab
>
> Verify the kvno (key version number) matches up from the keytab to what
> the kdc states is the current version. Kinit as a working user first from
> the cli, then attempt the kvno against the principal associated with the
> keytab that is failing.
>
> what is the command line you are using to export keytabs, the default
> behavior is to randomize the key each export unless you specifically tell
> it not to with -norandkey
>
> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>
> use -norandkey when exporting a keytab to prevent the key from being
> changed...
>
> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
>
> Is the KDC MIT? AD? Assuming MIT KDC:
>
> use the kvno command to evaluate what the KDC thinks is current, vs klist
> -kte .perform-admin.keytab
>
> Verify the kvno (key version number) matches up from the keytab to what
> the kdc states is the current version. Kinit as a working user first from
> the cli, then attempt the kvno against the principal associated with the
> keytab that is failing.
>
> what is the command line you are using to export keytabs, the default
> behavior is to randomize the key each export unless you specifically tell
> it not to with -norandkey
>
> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>
> use -norandkey when exporting a keytab to prevent the key from being
> changed...
>
> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
> thomas....@concordia.ca> wrote:
>
>> Hi Everyone,
>>
>>
>> I am running into a strange problem. I can not get a kerberos ticket
>> when using a keytab, but for 1 specific user only:
>>
>>
>> This is the command i use:
>>
>>
>> > kinit perform-admin -kt .perform-admin.keytab
>>
>> kinit: Preauthentication failed while getting initial credentials
>>
>>
>> Now if I do:
>>
>> ?kinit
>>
>> then i get prompted for a password, and then a ticket is created.
>>
>>
>> Like i said i can use a keytab for every other user and it does work, it
>> is only for this 1 specific user that it fails. I have also tried creating
>> new keytabs for this user but it still fails. I don't know if I have this
>> problem because it's the same user that I used to join the REALM in the
>> first place..
>>
>> Any thoughts?
>>
>> Thanks!
>> Thomas Beaudry
>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu
>
>> Hi Everyone,
>>
>>
>> I am running into a strange problem. I can not get a kerberos ticket
>> when using a keytab, but for 1 specific user only:
>>
>>
>> This is the command i use:
>>
>>
>> > kinit perform-admin -kt .perform-admin.keytab
>>
>> kinit: Preauthentication failed while getting initial credentials
>>
>>
>> Now if I do:
>>
>> ?kinit
>>
>> then i get prompted for a password, and then a ticket is created.
>>
>>
>> Like i said i can use a keytab for every other user and it does work, it
>> is only for this 1 specific user that it fails. I have also tried creating
>> new keytabs for this user but it still fails. I don't know if I have this
>> problem because it's the same user that I used to join the REALM in the
>> first place..
>>
>> Any thoughts?
>>
>> Thanks!
>> Thomas Beaudry
>> ________________________________________________
>> Kerberos mailing list Kerb...@mit.edu
Thomas Beaudry
Oct 27, 2016, 11:23:50 AM10/27/16
to Todd Grayson, kerb...@mit.edu
Hi Todd,
Thanks I tried enabling the AES256? checkbox but that didn't fix the problem. Also, I checked other users and they don't have that checkbox clicked - so it isn't the issue.
Any more thoughts as to what could be causing this 1 user to not be able to use a keytab?
Thanks,
Sent: Wednesday, October 26, 2016 4:20 PM
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
No, in that case, forget the kvno, it is not going to come out correctly that way.
Its for when you export the keytab from the KDC, in AD contexts like you are describing it becomes a invalid data point.
On AD, verify the entry in the ad users and computers gui, set the user entry to allow AES-256 and change the password for the user so you have a valid representation of the password on the AD side for your keytab's AES256. if you right click on the users and go into properties its a selection list of checkboxes in one of the tabs in the gui for the user entry edit.
That or dont pick aes256 for what you are setting up on the keytab, depending on the AD version you might have issues (e.g. if ad 2003 was in use)
On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <thomas....@concordia.ca<mailto:thomas....@concordia.ca>> wrote:
Hi Todd,
?Thanks for answering. It's a windows AD. I'm using ktutil to create the keytab: ?
addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96?
I'll look into the kvno.
Thomas
________________________________
From: Todd Grayson <tgra...@cloudera.com<mailto:tgra...@cloudera.com>>
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist -kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the kdc states is the current version. Kinit as a working user first from the cli, then attempt the kvno against the principal associated with the keytab that is failing.
what is the command line you are using to export keytabs, the default behavior is to randomize the key each export unless you specifically tell it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being changed...
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]
Thanks I tried enabling the AES256? checkbox but that didn't fix the problem. Also, I checked other users and they don't have that checkbox clicked - so it isn't the issue.
Any more thoughts as to what could be causing this 1 user to not be able to use a keytab?
Thanks,
Sent: Wednesday, October 26, 2016 4:20 PM
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
No, in that case, forget the kvno, it is not going to come out correctly that way.
Its for when you export the keytab from the KDC, in AD contexts like you are describing it becomes a invalid data point.
On AD, verify the entry in the ad users and computers gui, set the user entry to allow AES-256 and change the password for the user so you have a valid representation of the password on the AD side for your keytab's AES256. if you right click on the users and go into properties its a selection list of checkboxes in one of the tabs in the gui for the user entry edit.
That or dont pick aes256 for what you are setting up on the keytab, depending on the AD version you might have issues (e.g. if ad 2003 was in use)
Hi Todd,
?Thanks for answering. It's a windows AD. I'm using ktutil to create the keytab: ?
addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96?
I'll look into the kvno.
Thomas
From: Todd Grayson <tgra...@cloudera.com<mailto:tgra...@cloudera.com>>
Sent: Wednesday, October 26, 2016 2:48 PM
To: Thomas Beaudry
Cc: kerb...@mit.edu<mailto:kerb...@mit.edu>
To: Thomas Beaudry
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Is the KDC MIT? AD? Assuming MIT KDC:
use the kvno command to evaluate what the KDC thinks is current, vs klist -kte .perform-admin.keytab
Verify the kvno (key version number) matches up from the keytab to what the kdc states is the current version. Kinit as a working user first from the cli, then attempt the kvno against the principal associated with the keytab that is failing.
what is the command line you are using to export keytabs, the default behavior is to randomize the key each export unless you specifically tell it not to with -norandkey
http://krbdev.mit.edu/rt/Ticket/History.html?id=914
use -norandkey when exporting a keytab to prevent the key from being changed...
On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <thomas....@concordia.ca<mailto:thomas....@concordia.ca>> wrote:
Hi Everyone,
I am running into a strange problem. I can not get a kerberos ticket when using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails. I have also tried creating new keytabs for this user but it still fails. I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
________________________________________________
Kerberos mailing list Kerb...@mit.edu<mailto:Kerb...@mit.edu>
Hi Everyone,
I am running into a strange problem. I can not get a kerberos ticket when using a keytab, but for 1 specific user only:
This is the command i use:
> kinit perform-admin -kt .perform-admin.keytab
kinit: Preauthentication failed while getting initial credentials
Now if I do:
?kinit
then i get prompted for a password, and then a ticket is created.
Like i said i can use a keytab for every other user and it does work, it is only for this 1 specific user that it fails. I have also tried creating new keytabs for this user but it still fails. I don't know if I have this problem because it's the same user that I used to join the REALM in the first place..
Any thoughts?
Thanks!
Thomas Beaudry
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
[http://files.cloudera.com.s3.amazonaws.com/New%20Branding/cloudera-small.png]
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Todd Grayson
Oct 27, 2016, 11:26:11 AM10/27/16
to Thomas Beaudry, kerb...@mit.edu
you have to change the password after setting the checkbox.... was that
done?
> Thanks I tried enabling the AES256​ checkbox but that didn't fix the
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>
>> Hi Todd,
done?
> Thanks I tried enabling the AES256​ checkbox but that didn't fix the
> problem. Also, I checked other users and they don't have that checkbox
> clicked - so it isn't the issue.
>
>
> Any more thoughts as to what could be causing this 1 user to not be able
> to use a keytab?
>
>
> Thanks,
>
> Thomas
> *Sent:* Wednesday, October 26, 2016 4:20 PM
> clicked - so it isn't the issue.
>
>
> Any more thoughts as to what could be causing this 1 user to not be able
> to use a keytab?
>
>
> Thanks,
>
> Thomas
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> No, in that case, forget the kvno, it is not going to come out correctly
> that way.
>
> Its for when you export the keytab from the KDC, in AD contexts like you
> are describing it becomes a invalid data point.
>
> On AD, verify the entry in the ad users and computers gui, set the user
> entry to allow AES-256 and change the password for the user so you have a
> valid representation of the password on the AD side for your keytab's
> AES256. if you right click on the users and go into properties its a
> selection list of checkboxes in one of the tabs in the gui for the user
> entry edit.
>
> That or dont pick aes256 for what you are setting up on the keytab,
> depending on the AD version you might have issues (e.g. if ad 2003 was in
> use)
>
>
>
> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
> thomas....@concordia.ca> wrote:
>
> No, in that case, forget the kvno, it is not going to come out correctly
> that way.
>
> Its for when you export the keytab from the KDC, in AD contexts like you
> are describing it becomes a invalid data point.
>
> On AD, verify the entry in the ad users and computers gui, set the user
> entry to allow AES-256 and change the password for the user so you have a
> valid representation of the password on the AD side for your keytab's
> AES256. if you right click on the users and go into properties its a
> selection list of checkboxes in one of the tabs in the gui for the user
> entry edit.
>
> That or dont pick aes256 for what you are setting up on the keytab,
> depending on the AD version you might have issues (e.g. if ad 2003 was in
> use)
>
>
>
> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
>
>> Hi Todd,
>>
>>
>> ​Thanks for answering. It's a windows AD. I'm using ktutil to create
>> the keytab: ​
>>
>>
>>
>> ​Thanks for answering. It's a windows AD. I'm using ktutil to create
>> the keytab: ​
>>
>>
>> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>>
>>
>>
>>
>> I'll look into the kvno.
>>
>>
>> Thomas
>>
>>
>>
>>
>> Thomas
>>
>>
>> ------------------------------
>> *From:* Todd Grayson <tgra...@cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>> *To:* Thomas Beaudry
>> *Cc:* kerb...@mit.edu
>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>> *From:* Todd Grayson <tgra...@cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>> *To:* Thomas Beaudry
>> *Cc:* kerb...@mit.edu
>> credentials
>>
>> Is the KDC MIT? AD? Assuming MIT KDC:
>>
>> use the kvno command to evaluate what the KDC thinks is current, vs klist
>> -kte .perform-admin.keytab
>>
>> Verify the kvno (key version number) matches up from the keytab to what
>> the kdc states is the current version. Kinit as a working user first from
>> the cli, then attempt the kvno against the principal associated with the
>> keytab that is failing.
>>
>> what is the command line you are using to export keytabs, the default
>> behavior is to randomize the key each export unless you specifically tell
>> it not to with -norandkey
>>
>> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>>
>> use -norandkey when exporting a keytab to prevent the key from being
>> changed...
>>
>> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
>>
>> Is the KDC MIT? AD? Assuming MIT KDC:
>>
>> use the kvno command to evaluate what the KDC thinks is current, vs klist
>> -kte .perform-admin.keytab
>>
>> Verify the kvno (key version number) matches up from the keytab to what
>> the kdc states is the current version. Kinit as a working user first from
>> the cli, then attempt the kvno against the principal associated with the
>> keytab that is failing.
>>
>> what is the command line you are using to export keytabs, the default
>> behavior is to randomize the key each export unless you specifically tell
>> it not to with -norandkey
>>
>> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>>
>> use -norandkey when exporting a keytab to prevent the key from being
>> changed...
>>
>> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
>> thomas....@concordia.ca> wrote:
>>
>>> Hi Everyone,
>>>
>>>
>>> I am running into a strange problem. I can not get a kerberos ticket
>>> when using a keytab, but for 1 specific user only:
>>>
>>>
>>> This is the command i use:
>>>
>>>
>>> > kinit perform-admin -kt .perform-admin.keytab
>>>
>>> kinit: Preauthentication failed while getting initial credentials
>>>
>>>
>>> Now if I do:
>>>
>>> ?kinit
>>>
>>> then i get prompted for a password, and then a ticket is created.
>>>
>>>
>>> Like i said i can use a keytab for every other user and it does work, it
>>> is only for this 1 specific user that it fails. I have also tried creating
>>> new keytabs for this user but it still fails. I don't know if I have this
>>> problem because it's the same user that I used to join the REALM in the
>>> first place..
>>>
>>> Any thoughts?
>>>
>>> Thanks!
>>> Thomas Beaudry
>>> ________________________________________________
>>> Kerberos mailing list Kerb...@mit.edu
>>
>>> Hi Everyone,
>>>
>>>
>>> I am running into a strange problem. I can not get a kerberos ticket
>>> when using a keytab, but for 1 specific user only:
>>>
>>>
>>> This is the command i use:
>>>
>>>
>>> > kinit perform-admin -kt .perform-admin.keytab
>>>
>>> kinit: Preauthentication failed while getting initial credentials
>>>
>>>
>>> Now if I do:
>>>
>>> ?kinit
>>>
>>> then i get prompted for a password, and then a ticket is created.
>>>
>>>
>>> Like i said i can use a keytab for every other user and it does work, it
>>> is only for this 1 specific user that it fails. I have also tried creating
>>> new keytabs for this user but it still fails. I don't know if I have this
>>> problem because it's the same user that I used to join the REALM in the
>>> first place..
>>>
>>> Any thoughts?
>>>
>>> Thanks!
>>> Thomas Beaudry
>>> ________________________________________________
>>> Kerberos mailing list Kerb...@mit.edu
Todd Grayson
Oct 27, 2016, 11:59:48 AM10/27/16
to Thomas Beaudry, kerb...@mit.edu
Generally that is indicating the password is wrong or the key type is
failing from my experience, perhaps other folks can comment. To
troubleshoot this you would review and apply the content from these things.
So be clear. You have
1) set the 256 Permit AES-256 key type checkbox on that entry
2) CHANGED (not set the same value) the password on AD
3) re-run your ktutil to set the new password and enctype to your keytab
you are creating
If that is true then I would test with adding additional weaker encryption
types to the keytab as well (RC4-HMAC/arcfour-hmac-md5), avoid using des.
If that is what has been done then you'll need to start troubleshooting on
the client and AD side, these discuss how to troubleshoot what is failing
when you attempt kerberos auth.
MIT Kerberos Documentation: Troubleshooting
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/troubleshoot.html
How to enable Kerberos event logging
https://support.microsoft.com/en-us/kb/262177
On Thu, Oct 27, 2016 at 9:37 AM, Thomas Beaudry <thomas....@concordia.ca
> wrote:
> Hi Todd,
>
>
> Yes i changed the password. Still the same problem.
>
>
> thanks!
> *Sent:* Thursday, October 27, 2016 11:25 AM
failing from my experience, perhaps other folks can comment. To
troubleshoot this you would review and apply the content from these things.
So be clear. You have
1) set the 256 Permit AES-256 key type checkbox on that entry
2) CHANGED (not set the same value) the password on AD
3) re-run your ktutil to set the new password and enctype to your keytab
you are creating
If that is true then I would test with adding additional weaker encryption
types to the keytab as well (RC4-HMAC/arcfour-hmac-md5), avoid using des.
If that is what has been done then you'll need to start troubleshooting on
the client and AD side, these discuss how to troubleshoot what is failing
when you attempt kerberos auth.
MIT Kerberos Documentation: Troubleshooting
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/troubleshoot.html
How to enable Kerberos event logging
https://support.microsoft.com/en-us/kb/262177
On Thu, Oct 27, 2016 at 9:37 AM, Thomas Beaudry <thomas....@concordia.ca
> wrote:
> Hi Todd,
>
>
> Yes i changed the password. Still the same problem.
>
>
> thanks!
> *Sent:* Thursday, October 27, 2016 11:25 AM
Todd Grayson
Oct 27, 2016, 12:04:19 PM10/27/16
to Thomas Beaudry, kerb...@mit.edu
Perfect Good to hear, strange you can't get AES working... if you ended up
needing to troubleshoot that at some point, those links are the toolkits
for digging deeper into whats failing. There should be an updated version
of that KB for the diff windows AD KDC releases as well.
On Thu, Oct 27, 2016 at 9:59 AM, Thomas Beaudry <thomas....@concordia.ca
> wrote:
> Hi Todd,
>
>
> So i got it to work by switch the encryption type. In case anyone is
> wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
>
>
> ​Thank you so much for your help - I really didn't know where to look to
> start off with.
>
>
> Have a great day!
>
> Thomas
> ------------------------------
> *From:* Thomas Beaudry
> *Sent:* Thursday, October 27, 2016 11:37 AM
> *To:* Todd Grayson
needing to troubleshoot that at some point, those links are the toolkits
for digging deeper into whats failing. There should be an updated version
of that KB for the diff windows AD KDC releases as well.
On Thu, Oct 27, 2016 at 9:59 AM, Thomas Beaudry <thomas....@concordia.ca
> wrote:
> Hi Todd,
>
>
> So i got it to work by switch the encryption type. In case anyone is
> wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
>
>
> ​Thank you so much for your help - I really didn't know where to look to
> start off with.
>
>
> Have a great day!
>
> Thomas
> ------------------------------
> *From:* Thomas Beaudry
> *Sent:* Thursday, October 27, 2016 11:37 AM
> *To:* Todd Grayson
Tom Yu
Oct 27, 2016, 12:53:09 PM10/27/16
to Thomas Beaudry, kerb...@mit.edu
Thomas Beaudry <thomas....@concordia.ca> writes:
> So i got it to work by switch the encryption type. In case anyone is wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
It's possible that the problem is related to password salting. (The RC4
> So i got it to work by switch the encryption type. In case anyone is wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
enctype has no salt, but the AES ones do.) We've observed that the salt
for an Active Directory principal is related to the account name rather
than the principal name, e.g., HOSTNAME$ for a computer account. (An AD
account can have multiple Kerberos principal names.) Without the
correct salt, the client can't produce the correct password-derived key.
-Tom
Todd Grayson
Oct 27, 2016, 5:10:08 PM10/27/16
to Tom Yu, Mubashir Kazia, kerb...@mit.edu
Interesting Tom, We'll review that as well, I've added one of our team
members working with this in field to the discussion as well.
Thomas, what version of Active directory directory are you working with in
your attempts to get this functioning with AES?
members working with this in field to the discussion as well.
Thomas, what version of Active directory directory are you working with in
your attempts to get this functioning with AES?
0 new messages