[20321] in Kerberos_V5_Development
Re[2]: using keytab with preauth and ldap alias canonicalization
daemon@ATHENA.MIT.EDU (Chris Hecker)
Mon Oct 4 00:28:20 2021
From: "Chris Hecker" <checker@d6.com>
To: "Greg Hudson" <ghudson@mit.edu>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Mon, 04 Oct 2021 04:28:09 +0000
Message-ID: <em9291a75a-df2f-4f5b-a9c4-29460ae35dc0@checker-blade15>
In-Reply-To: <ddbe7481-cde9-a8ed-a627-288ab58cc732@mit.edu>
MIME-Version: 1.0
Reply-To: Chris Hecker <checker@d6.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Wait, so to be clear, at the time when I create the keytab I don't know
if the princ is canonical or not. So I need to use that new API on each
princ after the user enters it, and use that to create the keytab?
Is there a way to do this with the API before 1.17 or do I need to
update everything? Is this only on the client, or does the KDC need to
be 1.17 as well?
Chris
------ Original Message ------
From: "Greg Hudson" <ghudson@mit.edu>
To: "Chris Hecker" <checker@d6.com>; "krbdev@mit.edu" <krbdev@mit.edu>
Sent: 2021-10-03 21:06:33
Subject: Re: using keytab with preauth and ldap alias canonicalization
>On 10/3/21 4:37 PM, Chris Hecker wrote:
>> I get "kinit.exe: Preauthentication failed while getting initial
>> credentials" the kdc says "preauth (encrypted_timestamp) verify
>> failure: Preauthentication failed" in the log file. I've tried creating
>> the keytab with my code and with ktutil.
>
>krb5 1.17 added a -f flag to ktutil addent, which fetches the correct
>etype-info from the KDC using an unauthenticated AS-REQ. It also adds a
>corresponding API krb5_get_etype_info(). Without this feature you must
>specify the canonical principal name, or you will use the wrong salt and
>produce the wrong key for the keytab.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
