[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t
Alexander Bokovoy
abokovoy at redhat.com
Thu Sep 24 05:23:57 UTC 2015
On Wed, 23 Sep 2015, Brian J. Murrell wrote:
>I've put a kerberos principle into a keytab:
>
># klist -k asterisk.keytab
>Keytab name: FILE:asterisk.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
> 8 asterisk at EXAMPLE.COM
>
>using:
>
># ipa-getkeytab -s server.example.com -p asterisk -k /tmp/asterisk-krb5.keytab -e aes256-cts
>
>But when I try to use that keytab I get an error:
>
># kinit -k -t /etc/asterisk/asterisk.keytab imap/linux.example.com at EXAMPLE.COM
>kinit: Generic preauthentication failure while getting initial credentials
>
>On the server I get the following error:
>
>Sep 23 19:30:39 server.example.com krb5kdc[28970](info): AS_REQ (7
>etypes {18 17 16 23 1 3 2}) xxxxxx: NEEDED_PREAUTH:
>imap/linux.example.com at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM,
>Additional pre-authentication required
>
>Any idea what is going on here?
You need to explain what are you trying to achieve first.
The sequence above:
- Sets a random Kerberos key for a principal named asterisk at EXAMPLE.COM
on IPA KDC and stores it to the local keytab file asterisk.keytab
- tries to use a key for asterisk at EXAMPLE.COM to obtain ticket granting
ticket as imap/linux.example.com at EXAMPE.COM
Unless imap/linux.example.com at EXAMPLE.COM has exactly same Kerberos key
as asterisk at EXAMPLE.COM, the above should fail and it does.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list