[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t
Alexander Bokovoy
abokovoy at redhat.com
Mon Sep 28 06:48:20 UTC 2015
On Sat, 26 Sep 2015, Brian J. Murrell wrote:
>On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:
>
>OK. I have refreshed my memory of how Kerberos works.
>
>> The sequence above:
>>
>> - Sets a random Kerberos key for a principal named
>> asterisk at EXAMPLE.COM
>> on IPA KDC and stores it to the local keytab file asterisk.keytab
>
>Yes. That keytab is intended to be the machine equivalent of the human
>who enters their password at a kinit prompt.
Ok, I wanted to know what you were trying to achieve.
>
>> - tries to use a key for
>> asterisk at EXAMPLE.COM to obtain ticket
>> granting
>> ticket as
>> imap/linux.example.com at EXAMPE.COM
>
>Why would it try to obtain a TGT as the imap/linux.example.com
>principle? It should be trying to obtain a TGT as the
>asterisk at example.com principle, exactly as a human named "asterisk"
>would do using kinit.
Because *you* asked it to do so:
$ man kinit
...
SYNOPSIS
kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P] [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-t keytab_file]] [-c cache_name] [-n] [-S service_name] [-I input_ccache] [-T armor_ccache] [-X attribute[=value]] [principal]
DESCRIPTION
kinit obtains and caches an initial ticket-granting ticket for principal.
So, when you run kinit as
kinit -k -t /path/to/keytab imap/linux.example.com
You are asking "take the key for imap/linux.example.com from the
/path/to/keytab and obtain a ticket granting ticket from KDC using these
credentials".
>The goal here is to have the daemon authenticate to the KDC as
>asterisk at example.com and then use that TGT to get service tickets to
>the imap service so that it authenticates to the imap service as the
>user "asterisk".
And that would be
kinit -k -t /path/to/keytab asterisk
That's enough. Not specifying the principal would mean using a default
(host/fqdn), not whatever is the principal in the keytab.
>I suppose the other way, is to give the daemon the imap principle's key
>and let it forge service tickets but that would require the daemon to
>know that that is what is doing. It does not know that. It is just
>acting like an imap client as any other imap client that uses kerberos
>does. To be perfectly clear, this daemon only wants to authenticate as
>the single user "asterisk" to the imap server. It does not need to
>authenticate as many users.
Yes.
Once you've obtained a TGT in the current ccache, your application can
request the service ticket (imap/linux.example.com) automatically.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list