[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t
Brian J. Murrell
brian at interlinx.bc.ca
Sat Sep 26 18:26:56 UTC 2015
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:
OK. I have refreshed my memory of how Kerberos works.
> The sequence above:
>
> - Sets a random Kerberos key for a principal named
> asterisk at EXAMPLE.COM
> on IPA KDC and stores it to the local keytab file asterisk.keytab
Yes. That keytab is intended to be the machine equivalent of the human
who enters their password at a kinit prompt.
> - tries to use a key for
> asterisk at EXAMPLE.COM to obtain ticket
> granting
> ticket as
> imap/linux.example.com at EXAMPE.COM
Why would it try to obtain a TGT as the imap/linux.example.com
principle? It should be trying to obtain a TGT as the
asterisk at example.com principle, exactly as a human named "asterisk"
would do using kinit.
The goal here is to have the daemon authenticate to the KDC as
asterisk at example.com and then use that TGT to get service tickets to
the imap service so that it authenticates to the imap service as the
user "asterisk".
I suppose the other way, is to give the daemon the imap principle's key
and let it forge service tickets but that would require the daemon to
know that that is what is doing. It does not know that. It is just
acting like an imap client as any other imap client that uses kerberos
does. To be perfectly clear, this daemon only wants to authenticate as
the single user "asterisk" to the imap server. It does not need to
authenticate as many users.
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150926/0d66a1d2/attachment.sig>
More information about the Freeipa-users
mailing list