0

I'm on Ubuntu 22.04 which is joined to an Active Directory 2016 by sssd. I have access to several network ressources through kerberos: file shares, oracle and postgres databases. All is good. But I also want to be able access these ressources from a cron job.

I hope to be able to do that with a keytab and k5start. But I cannot get the keytab to work.

I detect the relevant kvno using

kinit -c filex
kvno -c filex  krbtgt/XXX.LOCAL@XXX.LOCAL

It is 3. Then I create my keytab using ktutil (addent prompts for my password).

ktutil
addent -password -p yyy@XXX.LOCAL -k 3 -e aes256-cts
wkt ./yyy.keytab
quit

Testing the keytab with

kinit -c filex -k -t keytab yyy@XXX.LOCAL

results in

kinit: Preauthentication failed while getting initial credentials

Google tells me this means the password is incorrect, but it is not.

Am I doing anything wrong?

Niels Jespersen
  • 101
  • 1
  • 1
    It's not enough to detect just the kvno – for AES you also have to detect the key salt, which is usually _but not always_ the account@REALM, e.g. if the account is renamed, its keys remain unchanged meaning the keysalt is still based on the _old_ name. Make sure to use the `-f` option to addent so that it always derives the key correctly. – user1686 Jul 23 '22 at 10:20
  • @user1686, Thank you for this. I am not sure I quite follow you. Does addent have a -f option? Could you elaborate, please. – Niels Jespersen Jul 24 '22 at 11:42

1 Answers1

0

The answer to my own question is that you have to be very careful with case when specifying username (principalname). The case of the username must match the case of the sAMAccountName in Active Directory. In my example, I specified yyy@XXX.LOCAL, when in fact it should have been YYY@XXX.LOCAL. Both when creating the keytab and when using it.

Niels Jespersen
  • 101
  • 1