[20320] in Kerberos_V5_Development
Re: using keytab with preauth and ldap alias canonicalization
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Oct 4 00:06:49 2021
To: Chris Hecker <checker@d6.com>, "krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <ddbe7481-cde9-a8ed-a627-288ab58cc732@mit.edu>
Date: Mon, 4 Oct 2021 00:06:33 -0400
MIME-Version: 1.0
In-Reply-To: <emf6afe31f-3438-4589-b0cd-1d8cc8aa1888@checker-blade15>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 10/3/21 4:37 PM, Chris Hecker wrote:
> I get "kinit.exe: Preauthentication failed while getting initial
> credentials" the kdc says "preauth (encrypted_timestamp) verify
> failure: Preauthentication failed" in the log file. I've tried creating
> the keytab with my code and with ktutil.
krb5 1.17 added a -f flag to ktutil addent, which fetches the correct
etype-info from the KDC using an unauthenticated AS-REQ. It also adds a
corresponding API krb5_get_etype_info(). Without this feature you must
specify the canonical principal name, or you will use the wrong salt and
produce the wrong key for the keytab.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
