[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

Have you tried to create a keytab with rc4 ? There isn't anymore a need to 
use DES

Markus

"Florian Erfurth" <floh-erfurth@arcor.de> wrote in message 
f2l6so$ke1$1@sea.gmane.org">news:f2l6so$ke1$1@sea.gmane.org...
> Michael B Allen wrote:
>
>> On Tue, 15 May 2007 14:00:57 +0200
>> Florian Erfurth <floh-erfurth@arcor.de> wrote:
>>
>>> Hi, I followed the steps described in http://www.grolmsnet.de/kerbtut/.
>>> Unfortunatelly I get a error if I enter following:
>>> >>>
>>> -bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
>>> HTTP/BSDfloh.domain.tld
>>> kinit: krb5_get_init_creds: Preauthentication failed
>>> <<<
>>>
>>> How can I find out, why the preauthentication is failed? Could anyone of
>>> you point a hint, what could be wrong?
>>>
>>> I'm using FreeBSD 6.2 and Windows 2003 is installed as Domain 
>>> Controller.
>>>
>>
>> Preauthentication failed ~= bad password
>>
>> The key, enctype or version number doesn't match what the Windows KDC
>> has. Re-run ktpass.exe and copy the keytab file over again.
>
> See below.
>
>>> PS2: How do I know more from my keytab-file (I need info about kvno,
>>> principal name and encryption type)?
>>
>> $ ktutil -k keytab list
>
> Thank you very much. Now I was able to check the keytab. I did following
> commands:
>
>>>>
> -bash-3.00# kinit florian.erfurth@DOMAIN.TLD
> florian.erfurth@DOMAIN.TLD's Password:
> kinit: NOTICE: ticket renewable lifetime is 10 hours
> -bash-3.00# kgetcred HTTP/BSDfloh.domain.tld@DOMAIN.TLD
> -bash-3.00# klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
>        Principal: florian.erfurth@DOMAIN.TLD
>    Cache version: 4
>
> Server: krbtgt/DOMAIN.TLD@DOMAIN.TLD
> Ticket etype: arcfour-hmac-md5, kvno 2
> Auth time:  May 18 20:39:28 2007
> End time:   May 19 03:19:31 2007
> Renew till: May 19 06:39:28 2007
> Ticket flags: renewable, initial, pre-authenticated
> Addresses: IPv4:192.168.0.120
>
> Server: HTTP/BSDfloh.domain.tld@DOMAIN.TLD
> Ticket etype: des-cbc-md5, kvno 3
> Auth time:  May 18 20:39:28 2007
> Start time: May 18 20:39:31 2007
> End time:   May 19 03:19:31 2007
> Ticket flags: pre-authenticated
> Addresses: IPv4:192.168.0.120
>
> -bash-3.00# ktutil -k bsdflohkeytab list
> bsdflohkeytab:
>
> Vno  Type         Principal
>  3  des-cbc-md5  HTTP/BSDfloh.domain.tld@DOMAIN.TLD
> -bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
> HTTP/BSDfloh.domain.tld
> kinit: krb5_get_init_creds: Preauthentication failed
> -bash-3.00#
> <<<
>
> I hope someone of you could point what is wrong. If I compare the outputs
> of 'ktutil -k bsdflohkeytab list' with 'klist -v', it seems to be ok. Am I
> right?
> Notice that klist -v tells, that the ticket flag of the server is
> pre-authenticated, so why tells does Preauthentication fail if I try with
> the command 'kinit -k -t /usr/local/etc/apache2/bsdflohkeytab'? O_o
>
> If I forget some necessary information for finding out my fault, then let 
> me
> know, please.
>
> Thank you very much.
> cu Floh
>
>