you have to change the password after setting the checkbox.... was that done?
On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry <thomas.beau...@concordia.ca > wrote: > Hi Todd, > > > Thanks I tried enabling the AES256 checkbox but that didn't fix the > problem. Also, I checked other users and they don't have that checkbox > clicked - so it isn't the issue. > > > Any more thoughts as to what could be causing this 1 user to not be able > to use a keytab? > > > Thanks, > > Thomas > ------------------------------ > *From:* Todd Grayson <tgray...@cloudera.com> > *Sent:* Wednesday, October 26, 2016 4:20 PM > > *To:* Thomas Beaudry > *Cc:* kerberos@mit.edu > *Subject:* Re: .kinit: Preauthentication failed while getting initial > credentials > > No, in that case, forget the kvno, it is not going to come out correctly > that way. > > Its for when you export the keytab from the KDC, in AD contexts like you > are describing it becomes a invalid data point. > > On AD, verify the entry in the ad users and computers gui, set the user > entry to allow AES-256 and change the password for the user so you have a > valid representation of the password on the AD side for your keytab's > AES256. if you right click on the users and go into properties its a > selection list of checkboxes in one of the tabs in the gui for the user > entry edit. > > That or dont pick aes256 for what you are setting up on the keytab, > depending on the AD version you might have issues (e.g. if ad 2003 was in > use) > > > > On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry < > thomas.beau...@concordia.ca> wrote: > >> Hi Todd, >> >> >> Thanks for answering. It's a windows AD. I'm using ktutil to create >> the keytab: >> >> >> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96 >> >> >> I'll look into the kvno. >> >> >> Thomas >> >> >> ------------------------------ >> *From:* Todd Grayson <tgray...@cloudera.com> >> *Sent:* Wednesday, October 26, 2016 2:48 PM >> *To:* Thomas Beaudry >> *Cc:* kerberos@mit.edu >> *Subject:* Re: .kinit: Preauthentication failed while getting initial >> credentials >> >> Is the KDC MIT? AD? Assuming MIT KDC: >> >> use the kvno command to evaluate what the KDC thinks is current, vs klist >> -kte .perform-admin.keytab >> >> Verify the kvno (key version number) matches up from the keytab to what >> the kdc states is the current version. Kinit as a working user first from >> the cli, then attempt the kvno against the principal associated with the >> keytab that is failing. >> >> what is the command line you are using to export keytabs, the default >> behavior is to randomize the key each export unless you specifically tell >> it not to with -norandkey >> >> http://krbdev.mit.edu/rt/Ticket/History.html?id=914 >> >> use -norandkey when exporting a keytab to prevent the key from being >> changed... >> >> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry < >> thomas.beau...@concordia.ca> wrote: >> >>> Hi Everyone, >>> >>> >>> I am running into a strange problem. I can not get a kerberos ticket >>> when using a keytab, but for 1 specific user only: >>> >>> >>> This is the command i use: >>> >>> >>> > kinit perform-admin -kt .perform-admin.keytab >>> >>> kinit: Preauthentication failed while getting initial credentials >>> >>> >>> Now if I do: >>> >>> ?kinit >>> >>> then i get prompted for a password, and then a ticket is created. >>> >>> >>> Like i said i can use a keytab for every other user and it does work, it >>> is only for this 1 specific user that it fails. I have also tried creating >>> new keytabs for this user but it still fails. I don't know if I have this >>> problem because it's the same user that I used to join the REALM in the >>> first place.. >>> >>> Any thoughts? >>> >>> Thanks! >>> Thomas Beaudry >>> ________________________________________________ >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> >> >> -- >> Todd Grayson >> Business Operations Manager >> Customer Operations Engineering >> Security SME >> >> > > > -- > Todd Grayson > Business Operations Manager > Customer Operations Engineering > Security SME > > -- Todd Grayson Business Operations Manager Customer Operations Engineering Security SME ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
