So far my attempt to ask it to the community :-)
But I think I finally managed to find the explanation.
So in case someone else ever has the same problem, searches why and
stumbles onto this page...
The kadmin-protocol that differs between the heimdal-implementation used
in Mac OS and the MIT-i
kadmin is not involved with ticket renewal or delegation.
more likely MacOSX GSSAPI implementation requests a forwardable TGT that
is not renewable and then forwards that one to the remote server.
It is not a bad idea to limit forwarded tickets that way.
Simo.
On Thu, 2016-10-27 at 13:37 +0200, v
Hi Todd,
Thanks I tried enabling the AES256? checkbox but that didn't fix the problem.
Also, I checked other users and they don't have that checkbox clicked - so it
isn't the issue.
Any more thoughts as to what could be causing this 1 user to not be able to use
a keytab?
Thanks,
Thomas
_
you have to change the password after setting the checkbox was that
done?
On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry wrote:
> Hi Todd,
>
>
> Thanks I tried enabling the AES256 checkbox but that didn't fix the
> problem. Also, I checked other users and they don't have that checkbox
> cl
Generally that is indicating the password is wrong or the key type is
failing from my experience, perhaps other folks can comment.To
troubleshoot this you would review and apply the content from these things.
So be clear. You have
1) set the 256 Permit AES-256 key type checkbox on that entry
2
Perfect Good to hear, strange you can't get AES working... if you ended up
needing to troubleshoot that at some point, those links are the toolkits
for digging deeper into whats failing. There should be an updated version
of that KB for the diff windows AD KDC releases as well.
On Thu, Oct 27, 20
Hi Todd,
Yes i changed the password. Still the same problem.
thanks!
Thomas
From: Todd Grayson
Sent: Thursday, October 27, 2016 11:25 AM
To: Thomas Beaudry
Cc: kerberos@mit.edu
Subject: Re: .kinit: Preauthentication failed while getting initial credentials
Hi Todd,
So i got it to work by switch the encryption type. In case anyone is wondering
i used: addent -password -p ${user} -k 1 -e rc4-hmac
Thank you so much for your help - I really didn't know where to look to start
off with.
Have a great day!
Thomas
Thomas Beaudry writes:
> So i got it to work by switch the encryption type. In case anyone is
> wondering i used: addent -password -p ${user} -k 1 -e rc4-hmac
It's possible that the problem is related to password salting. (The RC4
enctype has no salt, but the AES ones do.) We've observed th
Interesting Tom, We'll review that as well, I've added one of our team
members working with this in field to the discussion as well.
Thomas, what version of Active directory directory are you working with in
your attempts to get this functioning with AES?
On Thu, Oct 27, 2016 at 10:53 AM, Tom Yu
10 matches
Mail list logo
