[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

To: heimdal-discuss@sics.se
Subject: Re: Preauthentication failed
From: Florian Erfurth <floh-erfurth@arcor.de>
Date: Fri, 18 May 2007 23:41:16 +0200
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <f2c7lj$47d$1@sea.gmane.org> <20070515121828.f8249759.mba2000@ioplex.com>
Reply-To: heimdal-discuss@sics.se, Florian Erfurth <floh-erfurth@arcor.de>
Sender: news <news@sea.gmane.org>
User-Agent: KNode/0.10.4

Michael B Allen wrote:

> On Tue, 15 May 2007 14:00:57 +0200
> Florian Erfurth <floh-erfurth@arcor.de> wrote:
> 
>> Hi, I followed the steps described in http://www.grolmsnet.de/kerbtut/.
>> Unfortunatelly I get a error if I enter following:
>> >>>
>> -bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
>> HTTP/BSDfloh.domain.tld
>> kinit: krb5_get_init_creds: Preauthentication failed
>> <<<
>>
>> How can I find out, why the preauthentication is failed? Could anyone of
>> you point a hint, what could be wrong?
>> 
>> I'm using FreeBSD 6.2 and Windows 2003 is installed as Domain Controller.
>>
> 
> Preauthentication failed ~= bad password
> 
> The key, enctype or version number doesn't match what the Windows KDC
> has. Re-run ktpass.exe and copy the keytab file over again.

See below.

>> PS2: How do I know more from my keytab-file (I need info about kvno,
>> principal name and encryption type)?
> 
> $ ktutil -k keytab list

Thank you very much. Now I was able to check the keytab. I did following
commands:

>>>
-bash-3.00# kinit florian.erfurth@DOMAIN.TLD
florian.erfurth@DOMAIN.TLD's Password:
kinit: NOTICE: ticket renewable lifetime is 10 hours
-bash-3.00# kgetcred HTTP/BSDfloh.domain.tld@DOMAIN.TLD
-bash-3.00# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: florian.erfurth@DOMAIN.TLD
    Cache version: 4

Server: krbtgt/DOMAIN.TLD@DOMAIN.TLD
Ticket etype: arcfour-hmac-md5, kvno 2
Auth time:  May 18 20:39:28 2007
End time:   May 19 03:19:31 2007
Renew till: May 19 06:39:28 2007
Ticket flags: renewable, initial, pre-authenticated
Addresses: IPv4:192.168.0.120

Server: HTTP/BSDfloh.domain.tld@DOMAIN.TLD
Ticket etype: des-cbc-md5, kvno 3
Auth time:  May 18 20:39:28 2007
Start time: May 18 20:39:31 2007
End time:   May 19 03:19:31 2007
Ticket flags: pre-authenticated
Addresses: IPv4:192.168.0.120

-bash-3.00# ktutil -k bsdflohkeytab list
bsdflohkeytab:

Vno  Type         Principal
  3  des-cbc-md5  HTTP/BSDfloh.domain.tld@DOMAIN.TLD
-bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
HTTP/BSDfloh.domain.tld
kinit: krb5_get_init_creds: Preauthentication failed
-bash-3.00#    
<<<

I hope someone of you could point what is wrong. If I compare the outputs
of 'ktutil -k bsdflohkeytab list' with 'klist -v', it seems to be ok. Am I
right?
Notice that klist -v tells, that the ticket flag of the server is
pre-authenticated, so why tells does Preauthentication fail if I try with
the command 'kinit -k -t /usr/local/etc/apache2/bsdflohkeytab'? O_o

If I forget some necessary information for finding out my fault, then let me
know, please.

Thank you very much.
cu Floh

Follow-Ups:
- Re: Preauthentication failed
  - From: "Markus Moeller" <huaraz@moeller.plus.com>
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>

References:
- Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: add --rand xxxxxxxx
Next by Date: Re: Preauthentication failed
Prev by thread: Re: Preauthentication failed
Next by thread: Re: Preauthentication failed
Index(es):
- Date
- Thread