Hi, I have a strange (for me?) situation using MIT KDC together with Heimdal client. PKINIT/FAST scenario.
STEP 1: client side: kinit --anonymous klist -v Credentials cache: FILE:/tmp/krb5cc_1000 Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Cache version: 4 Server: krbtgt/idm....@idm.crp Client: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 Ticket length: 273 Auth time: Nov 2 10:30:45 2017 End time: Nov 3 10:30:45 2017 Ticket flags: anonymous, enc-pa-rep, pre-authent, initial, forwardable Addresses: addressless MIT KDC side log krb5kdc.log: Nov 02 09:43:41 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20 19 16 23}) 2001:67c:2X70:20X0:d5de:47fa:4de1:b0e7: ISSUE: authtime 1509612221, etypes {rep=18 tkt=18 ses=18}, WELLKNOWN/anonym...@idm.crp for krbtgt/idm....@idm.crp I guess everything is fine. STEP 2: client kinit --cache=FILE:/tmp/krb5cc_1000 a...@idm.crp a...@idm.crp's Password: passwordOTP kinit: Password incorrect KDC log: Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth ... <cut 6 rows with the same content> (encrypted_timestamp) verify failure: Preauthentication failed Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): AS_REQ (6 etypes {18 17 20 19 16 23}) 2001:67c:2370:2080:d5de:47fa:4de1:b0e7: PREAUTH_FAILED: a...@idm.crp for krbtgt/idm....@idm.crp, Preauthentication failed my thoughts: ... something wrong with etypes, DH size or .... - set pkinit_dh_min_bits = 1024 on the server/client because of heimdal can't use defaults from MIT 2048 DH - tried allow_weak_crypto without success pkgs' versions: MIT 1.15.1 (centos7, freeipa 4.5.0 bundle), heimdal 7.1.0 debian9 based, also was trying 7.4 with the same result MIT KDC and MIT client in the same environment work enough good thanks a lot for your time reading my big message and possible ideas. Oleksandr Yermolenko network/systems engineer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos