Setting Up a Keytab for a User Fails: "kinit: Password incorrect while getting initial credentials"
9,278
I am still unsure why using ktutil on the client did not work, but using kadmin.local on the server does:
kadmin.local
kadmin.local: ktadd -k myuser.keytab -norandkey [email protected]
kadmin.local: exit
Securely move this file to a secure directory on the client.
On the client, use this keytab file as follows:
kinit -k -t myuser.keytab [email protected]
Author by
Dave
Updated on September 18, 2022Comments
-
Dave over 1 year
I have a cluster of machines running CentOS 7.3. Kerberos, DNS, LDAP, etc. are in use in a unified manner via the use of FreeIPA 4.4.
I have a particular user that runs automated tests. Therefore, this users needs to be able to obtain a Ticket Granting Ticket without password entry. I have tried to accomplish this by creating a keytab and effectively "pre-entering" the password. However, I cannot kinit using the keytab, as shown below.
GET THE KEY VERSION NUMBER (kvno) from the KDC
[[email protected] ~]# kadmin.local -q 'get_principal [email protected]' Authenticating as principal root/[email protected] with password. Principal: [email protected] Expiration date: [never] Last password change: Mon Jul 16 06:54:59 CDT 2018 Password expiration date: Tue Jul 23 06:54:59 CDT 2019 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Jul 16 06:54:59 CDT 2018 ([email protected]) Last successful authentication: Mon Jul 23 11:03:38 CDT 2018 Last failed authentication: Mon Jul 23 14:40:57 CDT 2018 Failed password attempts: 1 Number of keys: 2 Key: vno 3, aes256-cts-hmac-sha1-96:special Key: vno 3, aes128-cts-hmac-sha1-96:special MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none]CREATE A KEYTAB, USING THE KVNO FROM ABOVE, ON THE CLIENT MACHINE
[email protected]$ cd /home/myuser [email protected]$ mkdir .krb5 [email protected]$ chmod 700 .krb5 [email protected]$ cd /home/myuser/.krb5 [email protected]$ ktutil ktutil: addent -password -p [email protected] -k 3 -e aes256-cts Password for [email protected]: ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 [email protected] ktutil: wkt myuser.keytab ktutil: exitLIST OUT THE KEYTAB WE JUST CREATED ON THE CLIENT MACHINE
[email protected]$ klist -kte myuser.keytab Keytab name: FILE:myuser.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 07/23/2018 14:33:30 [email protected] (aes256-cts-hmac-sha1-96)ATTEMPT TO USE THE KEYTAB ON THE CLIENT MACHINE
[email protected]$ klist klist: Credentials cache keyring 'persistent:4866486744:krb_ccache_rGHfj38' not found [email protected]$ kinit [email protected] -k -t /home/myuser/.krb5/myuser.keytab kinit: Password incorrect while getting initial credentialsWhere am I going wrong in setting up the keytab for this user?