2

I have a CentOS 6.4 that someone set up a while back.

The admin is not sure how he installed it, but it works very well with Kerberos. I used authconfig to set the domain and the Kerberos settings.

I use ktpass on a windows domain controller and transferred the keytab. kinit -k works fine and I can use it for nfsv4 Kerberos mounts.

This is all pretty standard.

My problem is I have a customer that installed 6.7 with a base install and we cannot get kinit to work correctly.

We set these RPMs.

$ yum install krb5-libs krb5-workstation pam_krb5 \
       cyrus-sasl-gssapi samba-* nfs-utils nfs4-acl-tools tcpdump -y

Each attempt to get the system to pickup a tgt returns the generic.

$ kinit -k nfs/oldlabsystem
kinit: Preauthentication failed while getting initial credentials

I went back and installed 6.4 in the same way and now 6.4 has the problem. I pulled a list of the rpms from my working 6.4 and used yum to install the same RPMs.

No luck here.

A network traces show as:

AS-REQ
AS-REP error-code: eRR-PREAUTH-REQUIRED (25)
AS-REQ
error-code: eRR-PREAUTH-FAILED (24)

I went back and created new keys for my working system to make sure my method of generated the keys were correct. My working 6.4 system has no problem.

On the non-working 6.4 system, I can do a kinit username and supply the user password with no problem. But I cannot do a kinit -k if I do a kinit and supply the password set with kpass I end up with

kinit: Preauthentication failed while getting initial credentials

In frustration I went back and created a user account and then generated a keytab from it. This also failed with the same error. Then on the user account in AD I turned off pre-authentication and then the kinit returned this.

[root@ ~]# kinit -k nfs/nfstestsystem.rockies.beta
kinit: Password incorrect while getting initial credentials

I suspect the keytab is somehow getting corrupted or the OS is using the keys incorrectly.

My problem is these errors are so generic it is almost impossible to find anything of value on the message boards: lab-admin-krb5.

I tried to post these questions on the CentOS forums, but I did not get very far.

An strace of both kinit shows essentially the same calls to the same libraries.

slm
  • 7,355
  • 16
  • 54
  • 72
krb-admin
  • 21
  • 1
  • 1
  • 2
  • I think this may be a problem with ktpass. I can take the working keys and put it on the non-working system. this would rule out linux. – krb-admin Mar 04 '16 at 22:15

1 Answers1

0

  1. list out the keytab with klist and paste it here

  2. show us get_principal output - do you have pre authentication set?

  3. show us the kdc logs

This will clarify your issue.

jouell
  • 601
  • 1
  • 5
  • 20