kinit using keytab fails while using password succeeds
Clash Royale CLAN TAG#URR8PPP
0
I'm facing a strange problem configuring KRB5 on Ubuntu 16.04 using Windows 2012 DCs as KDC. Calling kinit with an service AD account succeeds, if the password is provided to kinit's password prompt, but fails when using a keytab file with the very same password. Of course the easiest explanation would be that the password in the keytab file is wrong. But this file is generated automatically and the keytabs generated by the same code are working in another environment. Nevertheless I generated new keytab files manually multiple times and also generated a keytab file on windows with ktpass (you can provide the password on the command line to ktpass), to rule out any password related issues. However the result always was the same: Authentication did not work using the keytab files.
I'd guess that this issue maybe related to some settings on the Windows DCs but I don't have a clue where to look.
Successful authentication using the password:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V service_user :(
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
[3880] 1550161945.213705: Getting initial credentials for service_user@DOMAIN.INT
[3880] 1550161945.213896: Sending request (194 bytes) to DOMAIN.INT
[3880] 1550161945.214051: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161945.215117: Received answer (190 bytes) from dgram 192.168.0.1:88
[3880] 1550161945.215158: Response was from master KDC
[3880] 1550161945.215184: Received error from KDC: -1765328359/Additional pre-authentication required
[3880] 1550161945.215225: Processing preauth types: 16, 15, 19, 2
[3880] 1550161945.215243: Selected etype info: etype aes256-cts, salt "DOMAIN.INTrmcloudmember", params ""
Password for service_user@DOMAIN.INT:
[3880] 1550161955.687314: AS key obtained for encrypted timestamp: aes256-cts/0FBD
[3880] 1550161955.687371: Encrypted timestamp (for 1550161956.151464): plain 301AA011180F32303139303231343136333233365AA1050203024FA8, encrypted 9B8C1FB7CC85C23D0D803DCF2C29655D329628F98C505CEBE8EA1F3353D8D513CFAE25C1E146D74C5C4FE71326FCF12F6ED911FBC2B14FE2
[3880] 1550161955.687398: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3880] 1550161955.687404: Produced preauth for next request: 2
[3880] 1550161955.687430: Sending request (274 bytes) to DOMAIN.INT
[3880] 1550161955.687522: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161955.695617: Received answer (94 bytes) from dgram 192.168.0.1:88
[3880] 1550161955.695671: Response was from master KDC
[3880] 1550161955.695690: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3880] 1550161955.695696: Request or response is too big for UDP; retrying with TCP
[3880] 1550161955.695701: Sending request (274 bytes) to DOMAIN.INT (tcp only)
[3880] 1550161955.695731: Initiating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.696053: Sending TCP request to stream 192.168.0.1:88
[3880] 1550161955.697043: Received answer (1831 bytes) from stream 192.168.0.1:88
[3880] 1550161955.697053: Terminating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.697089: Response was from master KDC
[3880] 1550161955.697117: Processing preauth types: 19
[3880] 1550161955.697127: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3880] 1550161955.697143: Produced preauth for next request: (empty)
[3880] 1550161955.697152: AS key determined by preauth: aes256-cts/0FBD
[3880] 1550161955.697201: Decrypted AS reply; session key is: aes256-cts/DD7B
[3880] 1550161955.697220: FAST negotiation: unavailable
[3880] 1550161955.697239: Initializing FILE:/tmp/krb5cc_0 with default princ service_user@DOMAIN.INT
[3880] 1550161955.697329: Storing service_user@DOMAIN.INT -> krbtgt/DOMAIN.INT@DOMAIN.INT in FILE:/tmp/krb5cc_0
[3880] 1550161955.697364: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOMAIN.INT@DOMAIN.INT: pa_type: 2
[3880] 1550161955.697394: Storing service_user@DOMAIN.INT -> krb5_ccache_conf_data/pa_type/krbtgt/DOMAIN.INT@DOMAIN.INT@X-CACHECONF: in FILE:/tmp/krb5cc_0
Authenticated to Kerberos v5
Failing authentication using a keytab file:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V -k -t /etc/krb5/service_user.keytab service_user
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
Using keytab: /etc/krb5/service_user.keytab
[3844] 1550161914.505633: Getting initial credentials for service_user@DOMAIN.INT
[3844] 1550161914.505787: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[3844] 1550161914.505838: Sending request (194 bytes) to DOMAIN.INT
[3844] 1550161914.505972: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.507116: Received answer (190 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.507146: Response was from master KDC
[3844] 1550161914.507170: Received error from KDC: -1765328359/Additional pre-authentication required
[3844] 1550161914.507199: Processing preauth types: 16, 15, 19, 2
[3844] 1550161914.507216: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3844] 1550161914.507263: Retrieving service_user@DOMAIN.INT from FILE:/etc/krb5/service_user.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[3844] 1550161914.507280: AS key obtained for encrypted timestamp: aes256-cts/3ABA
[3844] 1550161914.507329: Encrypted timestamp (for 1550161914.976630): plain 301AA011180F32303139303231343136333135345AA10502030EE6F6, encrypted BD37FD997AD3BB56EA1893F99CDCDC7AF49964AC65E686316BE58F545609C3EE15E5753D57B9812794EB480E7F3D2B61613B2F9518DB5841
[3844] 1550161914.507344: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3844] 1550161914.507353: Produced preauth for next request: 2
[3844] 1550161914.507371: Sending request (274 bytes) to DOMAIN.INT
[3844] 1550161914.507407: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.513601: Received answer (156 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.513649: Response was from master KDC
[3844] 1550161914.513665: Received error from KDC: -1765328360/Preauthentication failed
[3844] 1550161914.513684: Preauth tryagain input types: 16, 15, 19, 2
kinit: Preauthentication failed while getting initial credentials
windows active-directory kerberos
asked Feb 21 at 15:43
dprdpr
1881311
add a comment |
0
I'm facing a strange problem configuring KRB5 on Ubuntu 16.04 using Windows 2012 DCs as KDC. Calling kinit with an service AD account succeeds, if the password is provided to kinit's password prompt, but fails when using a keytab file with the very same password. Of course the easiest explanation would be that the password in the keytab file is wrong. But this file is generated automatically and the keytabs generated by the same code are working in another environment. Nevertheless I generated new keytab files manually multiple times and also generated a keytab file on windows with ktpass (you can provide the password on the command line to ktpass), to rule out any password related issues. However the result always was the same: Authentication did not work using the keytab files.
I'd guess that this issue maybe related to some settings on the Windows DCs but I don't have a clue where to look.
Successful authentication using the password:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V service_user :(
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
[3880] 1550161945.213705: Getting initial credentials for service_user@DOMAIN.INT
[3880] 1550161945.213896: Sending request (194 bytes) to DOMAIN.INT
[3880] 1550161945.214051: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161945.215117: Received answer (190 bytes) from dgram 192.168.0.1:88
[3880] 1550161945.215158: Response was from master KDC
[3880] 1550161945.215184: Received error from KDC: -1765328359/Additional pre-authentication required
[3880] 1550161945.215225: Processing preauth types: 16, 15, 19, 2
[3880] 1550161945.215243: Selected etype info: etype aes256-cts, salt "DOMAIN.INTrmcloudmember", params ""
Password for service_user@DOMAIN.INT:
[3880] 1550161955.687314: AS key obtained for encrypted timestamp: aes256-cts/0FBD
[3880] 1550161955.687371: Encrypted timestamp (for 1550161956.151464): plain 301AA011180F32303139303231343136333233365AA1050203024FA8, encrypted 9B8C1FB7CC85C23D0D803DCF2C29655D329628F98C505CEBE8EA1F3353D8D513CFAE25C1E146D74C5C4FE71326FCF12F6ED911FBC2B14FE2
[3880] 1550161955.687398: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3880] 1550161955.687404: Produced preauth for next request: 2
[3880] 1550161955.687430: Sending request (274 bytes) to DOMAIN.INT
[3880] 1550161955.687522: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161955.695617: Received answer (94 bytes) from dgram 192.168.0.1:88
[3880] 1550161955.695671: Response was from master KDC
[3880] 1550161955.695690: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3880] 1550161955.695696: Request or response is too big for UDP; retrying with TCP
[3880] 1550161955.695701: Sending request (274 bytes) to DOMAIN.INT (tcp only)
[3880] 1550161955.695731: Initiating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.696053: Sending TCP request to stream 192.168.0.1:88
[3880] 1550161955.697043: Received answer (1831 bytes) from stream 192.168.0.1:88
[3880] 1550161955.697053: Terminating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.697089: Response was from master KDC
[3880] 1550161955.697117: Processing preauth types: 19
[3880] 1550161955.697127: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3880] 1550161955.697143: Produced preauth for next request: (empty)
[3880] 1550161955.697152: AS key determined by preauth: aes256-cts/0FBD
[3880] 1550161955.697201: Decrypted AS reply; session key is: aes256-cts/DD7B
[3880] 1550161955.697220: FAST negotiation: unavailable
[3880] 1550161955.697239: Initializing FILE:/tmp/krb5cc_0 with default princ service_user@DOMAIN.INT
[3880] 1550161955.697329: Storing service_user@DOMAIN.INT -> krbtgt/DOMAIN.INT@DOMAIN.INT in FILE:/tmp/krb5cc_0
[3880] 1550161955.697364: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOMAIN.INT@DOMAIN.INT: pa_type: 2
[3880] 1550161955.697394: Storing service_user@DOMAIN.INT -> krb5_ccache_conf_data/pa_type/krbtgt/DOMAIN.INT@DOMAIN.INT@X-CACHECONF: in FILE:/tmp/krb5cc_0
Authenticated to Kerberos v5
Failing authentication using a keytab file:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V -k -t /etc/krb5/service_user.keytab service_user
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
Using keytab: /etc/krb5/service_user.keytab
[3844] 1550161914.505633: Getting initial credentials for service_user@DOMAIN.INT
[3844] 1550161914.505787: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[3844] 1550161914.505838: Sending request (194 bytes) to DOMAIN.INT
[3844] 1550161914.505972: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.507116: Received answer (190 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.507146: Response was from master KDC
[3844] 1550161914.507170: Received error from KDC: -1765328359/Additional pre-authentication required
[3844] 1550161914.507199: Processing preauth types: 16, 15, 19, 2
[3844] 1550161914.507216: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3844] 1550161914.507263: Retrieving service_user@DOMAIN.INT from FILE:/etc/krb5/service_user.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[3844] 1550161914.507280: AS key obtained for encrypted timestamp: aes256-cts/3ABA
[3844] 1550161914.507329: Encrypted timestamp (for 1550161914.976630): plain 301AA011180F32303139303231343136333135345AA10502030EE6F6, encrypted BD37FD997AD3BB56EA1893F99CDCDC7AF49964AC65E686316BE58F545609C3EE15E5753D57B9812794EB480E7F3D2B61613B2F9518DB5841
[3844] 1550161914.507344: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3844] 1550161914.507353: Produced preauth for next request: 2
[3844] 1550161914.507371: Sending request (274 bytes) to DOMAIN.INT
[3844] 1550161914.507407: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.513601: Received answer (156 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.513649: Response was from master KDC
[3844] 1550161914.513665: Received error from KDC: -1765328360/Preauthentication failed
[3844] 1550161914.513684: Preauth tryagain input types: 16, 15, 19, 2
kinit: Preauthentication failed while getting initial credentials
windows active-directory kerberos
asked Feb 21 at 15:43
dprdpr
1881311
add a comment |
0
0
0
I'm facing a strange problem configuring KRB5 on Ubuntu 16.04 using Windows 2012 DCs as KDC. Calling kinit with an service AD account succeeds, if the password is provided to kinit's password prompt, but fails when using a keytab file with the very same password. Of course the easiest explanation would be that the password in the keytab file is wrong. But this file is generated automatically and the keytabs generated by the same code are working in another environment. Nevertheless I generated new keytab files manually multiple times and also generated a keytab file on windows with ktpass (you can provide the password on the command line to ktpass), to rule out any password related issues. However the result always was the same: Authentication did not work using the keytab files.
I'd guess that this issue maybe related to some settings on the Windows DCs but I don't have a clue where to look.
Successful authentication using the password:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V service_user :(
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
[3880] 1550161945.213705: Getting initial credentials for service_user@DOMAIN.INT
[3880] 1550161945.213896: Sending request (194 bytes) to DOMAIN.INT
[3880] 1550161945.214051: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161945.215117: Received answer (190 bytes) from dgram 192.168.0.1:88
[3880] 1550161945.215158: Response was from master KDC
[3880] 1550161945.215184: Received error from KDC: -1765328359/Additional pre-authentication required
[3880] 1550161945.215225: Processing preauth types: 16, 15, 19, 2
[3880] 1550161945.215243: Selected etype info: etype aes256-cts, salt "DOMAIN.INTrmcloudmember", params ""
Password for service_user@DOMAIN.INT:
[3880] 1550161955.687314: AS key obtained for encrypted timestamp: aes256-cts/0FBD
[3880] 1550161955.687371: Encrypted timestamp (for 1550161956.151464): plain 301AA011180F32303139303231343136333233365AA1050203024FA8, encrypted 9B8C1FB7CC85C23D0D803DCF2C29655D329628F98C505CEBE8EA1F3353D8D513CFAE25C1E146D74C5C4FE71326FCF12F6ED911FBC2B14FE2
[3880] 1550161955.687398: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3880] 1550161955.687404: Produced preauth for next request: 2
[3880] 1550161955.687430: Sending request (274 bytes) to DOMAIN.INT
[3880] 1550161955.687522: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161955.695617: Received answer (94 bytes) from dgram 192.168.0.1:88
[3880] 1550161955.695671: Response was from master KDC
[3880] 1550161955.695690: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3880] 1550161955.695696: Request or response is too big for UDP; retrying with TCP
[3880] 1550161955.695701: Sending request (274 bytes) to DOMAIN.INT (tcp only)
[3880] 1550161955.695731: Initiating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.696053: Sending TCP request to stream 192.168.0.1:88
[3880] 1550161955.697043: Received answer (1831 bytes) from stream 192.168.0.1:88
[3880] 1550161955.697053: Terminating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.697089: Response was from master KDC
[3880] 1550161955.697117: Processing preauth types: 19
[3880] 1550161955.697127: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3880] 1550161955.697143: Produced preauth for next request: (empty)
[3880] 1550161955.697152: AS key determined by preauth: aes256-cts/0FBD
[3880] 1550161955.697201: Decrypted AS reply; session key is: aes256-cts/DD7B
[3880] 1550161955.697220: FAST negotiation: unavailable
[3880] 1550161955.697239: Initializing FILE:/tmp/krb5cc_0 with default princ service_user@DOMAIN.INT
[3880] 1550161955.697329: Storing service_user@DOMAIN.INT -> krbtgt/DOMAIN.INT@DOMAIN.INT in FILE:/tmp/krb5cc_0
[3880] 1550161955.697364: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOMAIN.INT@DOMAIN.INT: pa_type: 2
[3880] 1550161955.697394: Storing service_user@DOMAIN.INT -> krb5_ccache_conf_data/pa_type/krbtgt/DOMAIN.INT@DOMAIN.INT@X-CACHECONF: in FILE:/tmp/krb5cc_0
Authenticated to Kerberos v5
Failing authentication using a keytab file:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V -k -t /etc/krb5/service_user.keytab service_user
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
Using keytab: /etc/krb5/service_user.keytab
[3844] 1550161914.505633: Getting initial credentials for service_user@DOMAIN.INT
[3844] 1550161914.505787: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[3844] 1550161914.505838: Sending request (194 bytes) to DOMAIN.INT
[3844] 1550161914.505972: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.507116: Received answer (190 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.507146: Response was from master KDC
[3844] 1550161914.507170: Received error from KDC: -1765328359/Additional pre-authentication required
[3844] 1550161914.507199: Processing preauth types: 16, 15, 19, 2
[3844] 1550161914.507216: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3844] 1550161914.507263: Retrieving service_user@DOMAIN.INT from FILE:/etc/krb5/service_user.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[3844] 1550161914.507280: AS key obtained for encrypted timestamp: aes256-cts/3ABA
[3844] 1550161914.507329: Encrypted timestamp (for 1550161914.976630): plain 301AA011180F32303139303231343136333135345AA10502030EE6F6, encrypted BD37FD997AD3BB56EA1893F99CDCDC7AF49964AC65E686316BE58F545609C3EE15E5753D57B9812794EB480E7F3D2B61613B2F9518DB5841
[3844] 1550161914.507344: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3844] 1550161914.507353: Produced preauth for next request: 2
[3844] 1550161914.507371: Sending request (274 bytes) to DOMAIN.INT
[3844] 1550161914.507407: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.513601: Received answer (156 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.513649: Response was from master KDC
[3844] 1550161914.513665: Received error from KDC: -1765328360/Preauthentication failed
[3844] 1550161914.513684: Preauth tryagain input types: 16, 15, 19, 2
kinit: Preauthentication failed while getting initial credentials
windows active-directory kerberos
asked Feb 21 at 15:43
dprdpr
1881311
I'm facing a strange problem configuring KRB5 on Ubuntu 16.04 using Windows 2012 DCs as KDC. Calling kinit with an service AD account succeeds, if the password is provided to kinit's password prompt, but fails when using a keytab file with the very same password. Of course the easiest explanation would be that the password in the keytab file is wrong. But this file is generated automatically and the keytabs generated by the same code are working in another environment. Nevertheless I generated new keytab files manually multiple times and also generated a keytab file on windows with ktpass (you can provide the password on the command line to ktpass), to rule out any password related issues. However the result always was the same: Authentication did not work using the keytab files.
I'd guess that this issue maybe related to some settings on the Windows DCs but I don't have a clue where to look.
Successful authentication using the password:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V service_user :(
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
[3880] 1550161945.213705: Getting initial credentials for service_user@DOMAIN.INT
[3880] 1550161945.213896: Sending request (194 bytes) to DOMAIN.INT
[3880] 1550161945.214051: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161945.215117: Received answer (190 bytes) from dgram 192.168.0.1:88
[3880] 1550161945.215158: Response was from master KDC
[3880] 1550161945.215184: Received error from KDC: -1765328359/Additional pre-authentication required
[3880] 1550161945.215225: Processing preauth types: 16, 15, 19, 2
[3880] 1550161945.215243: Selected etype info: etype aes256-cts, salt "DOMAIN.INTrmcloudmember", params ""
Password for service_user@DOMAIN.INT:
[3880] 1550161955.687314: AS key obtained for encrypted timestamp: aes256-cts/0FBD
[3880] 1550161955.687371: Encrypted timestamp (for 1550161956.151464): plain 301AA011180F32303139303231343136333233365AA1050203024FA8, encrypted 9B8C1FB7CC85C23D0D803DCF2C29655D329628F98C505CEBE8EA1F3353D8D513CFAE25C1E146D74C5C4FE71326FCF12F6ED911FBC2B14FE2
[3880] 1550161955.687398: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3880] 1550161955.687404: Produced preauth for next request: 2
[3880] 1550161955.687430: Sending request (274 bytes) to DOMAIN.INT
[3880] 1550161955.687522: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161955.695617: Received answer (94 bytes) from dgram 192.168.0.1:88
[3880] 1550161955.695671: Response was from master KDC
[3880] 1550161955.695690: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3880] 1550161955.695696: Request or response is too big for UDP; retrying with TCP
[3880] 1550161955.695701: Sending request (274 bytes) to DOMAIN.INT (tcp only)
[3880] 1550161955.695731: Initiating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.696053: Sending TCP request to stream 192.168.0.1:88
[3880] 1550161955.697043: Received answer (1831 bytes) from stream 192.168.0.1:88
[3880] 1550161955.697053: Terminating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.697089: Response was from master KDC
[3880] 1550161955.697117: Processing preauth types: 19
[3880] 1550161955.697127: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3880] 1550161955.697143: Produced preauth for next request: (empty)
[3880] 1550161955.697152: AS key determined by preauth: aes256-cts/0FBD
[3880] 1550161955.697201: Decrypted AS reply; session key is: aes256-cts/DD7B
[3880] 1550161955.697220: FAST negotiation: unavailable
[3880] 1550161955.697239: Initializing FILE:/tmp/krb5cc_0 with default princ service_user@DOMAIN.INT
[3880] 1550161955.697329: Storing service_user@DOMAIN.INT -> krbtgt/DOMAIN.INT@DOMAIN.INT in FILE:/tmp/krb5cc_0
[3880] 1550161955.697364: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOMAIN.INT@DOMAIN.INT: pa_type: 2
[3880] 1550161955.697394: Storing service_user@DOMAIN.INT -> krb5_ccache_conf_data/pa_type/krbtgt/DOMAIN.INT@DOMAIN.INT@X-CACHECONF: in FILE:/tmp/krb5cc_0
Authenticated to Kerberos v5
Failing authentication using a keytab file:
root@my-server / # KRB5_TRACE=/dev/stdout kinit -V -k -t /etc/krb5/service_user.keytab service_user
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
Using keytab: /etc/krb5/service_user.keytab
[3844] 1550161914.505633: Getting initial credentials for service_user@DOMAIN.INT
[3844] 1550161914.505787: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[3844] 1550161914.505838: Sending request (194 bytes) to DOMAIN.INT
[3844] 1550161914.505972: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.507116: Received answer (190 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.507146: Response was from master KDC
[3844] 1550161914.507170: Received error from KDC: -1765328359/Additional pre-authentication required
[3844] 1550161914.507199: Processing preauth types: 16, 15, 19, 2
[3844] 1550161914.507216: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3844] 1550161914.507263: Retrieving service_user@DOMAIN.INT from FILE:/etc/krb5/service_user.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[3844] 1550161914.507280: AS key obtained for encrypted timestamp: aes256-cts/3ABA
[3844] 1550161914.507329: Encrypted timestamp (for 1550161914.976630): plain 301AA011180F32303139303231343136333135345AA10502030EE6F6, encrypted BD37FD997AD3BB56EA1893F99CDCDC7AF49964AC65E686316BE58F545609C3EE15E5753D57B9812794EB480E7F3D2B61613B2F9518DB5841
[3844] 1550161914.507344: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3844] 1550161914.507353: Produced preauth for next request: 2
[3844] 1550161914.507371: Sending request (274 bytes) to DOMAIN.INT
[3844] 1550161914.507407: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.513601: Received answer (156 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.513649: Response was from master KDC
[3844] 1550161914.513665: Received error from KDC: -1765328360/Preauthentication failed
[3844] 1550161914.513684: Preauth tryagain input types: 16, 15, 19, 2
kinit: Preauthentication failed while getting initial credentials
windows active-directory kerberos
windows active-directory kerberos
asked Feb 21 at 15:43
dprdpr
1881311
asked Feb 21 at 15:43
dprdpr
1881311
edited Feb 21 at 21:07
dpr
asked Feb 21 at 15:43
dprdpr
1881311
asked Feb 21 at 15:43
dprdpr
1881311
asked Feb 21 at 15:43
dprdpr
1881311
1881311
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502113%2fkinit-using-keytab-fails-while-using-password-succeeds%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f502113%2fkinit-using-keytab-fails-while-using-password-succeeds%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
