I have a CentOS 6.4 that someone set up a while back.
The admin is not sure how he installed it, but it works very well with Kerberos. I used authconfig to set the domain and the Kerberos settings.
I use ktpass
on a windows domain controller and transferred the keytab.
kinit -k
works fine and I can use it for nfsv4 Kerberos mounts.
This is all pretty standard.
My problem is I have a customer that installed 6.7 with a base install and we cannot get kinit
to work correctly.
We set these RPMs.
$ yum install krb5-libs krb5-workstation pam_krb5 \
cyrus-sasl-gssapi samba-* nfs-utils nfs4-acl-tools tcpdump -y
Each attempt to get the system to pickup a tgt returns the generic.
$ kinit -k nfs/oldlabsystem
kinit: Preauthentication failed while getting initial credentials
I went back and installed 6.4 in the same way and now 6.4 has the problem. I pulled a list of the rpms from my working 6.4 and used yum to install the same RPMs.
No luck here.
A network traces show as:
AS-REQ
AS-REP error-code: eRR-PREAUTH-REQUIRED (25)
AS-REQ
error-code: eRR-PREAUTH-FAILED (24)
I went back and created new keys for my working system to make sure my method of generated the keys were correct. My working 6.4 system has no problem.
On the non-working 6.4 system, I can do a kinit username
and supply the user password with no problem. But I cannot do a kinit -k
if I do a kinit
and supply the password set with kpass I end up with
kinit: Preauthentication failed while getting initial credentials
In frustration I went back and created a user account and then generated a keytab from it. This also failed with the same error. Then on the user account in AD I turned off pre-authentication and then the kinit returned this.
[root@ ~]# kinit -k nfs/nfstestsystem.rockies.beta
kinit: Password incorrect while getting initial credentials
I suspect the keytab is somehow getting corrupted or the OS is using the keys incorrectly.
My problem is these errors are so generic it is almost impossible to find anything of value on the message boards: lab-admin-krb5.
I tried to post these questions on the CentOS forums, but I did not get very far.
An strace
of both kinit
shows essentially the same calls to the same libraries.