On 01/10/2018 11:03 AM, lejeczek wrote:> krb5kdc[606061](info): preauth
(encrypted_timestamp) verify
> failure: Preauthentication failed
One would normally see this error if the wrong key or password was used
to authenticate. So there might be a mismatch between the keytab file
on the initiating
Didn't see the original thread... but guessing as to the issue;
IPA w. ipaclient uses aes256-cts-sha-96 with random salt to encrypt session
keys and principals keytabs.
Things that generate a keytab using ktutil for example will fail, it does
not take the random salt string as part of the 'addent
Hello Ben,
Thanks for your advice.
I understand it much better now.
I'm getting a token back from the KDC - it's huge encrypted string.
I need to incorporate that into my HTTP request. I'm thinking whether it
I'll get through the authentication by adding this to HTTP header.
The HTTP headers
If you need to use kerberos over HTTP you should probably use at
existing projects and reuse those, look for mod_auth_gssapi (C module
for Apache) or request-gssapi (python module that uses python-gssapi
for python-requests) and other similar efforts.
They all implement the SPNEGO RFCs: 4178, 4559
Thank you Simo.
Can you please tell me how to check if my environment is Kerberos compliant ?
I'm working on Sun Solaris 10 and I can do kinit, klist, kdestroy, there is a
/etc/krb5/krb5.conf
Does this tell me if the environment has been Kerborized ?
Thank you
Imanuel.
-Original Messa
Hi,
I'm running a FreeIPA domain an started to authenticate my road warrior
laptop with kdcproy. I've changed krb5.conf:
,
| dns_lookup_realm = true
| dns_lookup_kdc = false
| ...
| kdc = https://kdcproxy.example.org/KdcProxy
`
When I run kinit on my Ubuntu 17.10 laptop I get:
# K
