On 11/02/2017 05:06 AM, Oleksandr Yermolenko wrote: > I have a strange (for me?) situation using MIT KDC together with > Heimdal client. PKINIT/FAST scenario.
I don't believe Heimdal implements FAST OTP. > kinit --cache=FILE:/tmp/krb5cc_1000 a...@idm.crp > a...@idm.crp's Password: passwordOTP > kinit: Password incorrect > > KDC log: > Nov 02 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth > (encrypted_timestamp) verify failure: Preauthentication failed Nov 02 > 09:45:56 ipa31.idm.crp krb5kdc[1932](info): preauth It looks like the Heimdal client is trying to do encrypted timestamp (not encrypted challenge, so I'm not sure the client is even using FAST with these options) against whatever long-term keys you have on the client principal entry. You might want to remove those (with kadmin purgekeys -all) so that the KDC doesn't offer encrypted timestamp/encrypted challenge. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
