Menu
This is something I have faced and I found the solution. since there wasn't any question about it, I will post it as a question and I will write my solution as the answer.
Environment:
Problem:
I created "user.keytab" file by "ktutil" to renew the krb ticket without password as it was recommended in here https://kb.iu.edu/d/aumh
ktutil: addent -password -p [email protected] -k 1 -e rc4-hmac
Password for [email protected]: [enter your password]
ktutil: addent -password -p [email protected] -k 1 -e aes256-cts
Password for [email protected]: [enter your password]
ktutil: wkt user.keytab
ktutil: quit
then testing end up with exception
(user@server [~])$ kinit [email protected] -k -t user.keytab
kinit: Preauthentication failed while getting initial credentials
778
The error, “Preauthentication failed while getting initial credentials” happens when the password is incorrect. Update the keytab file on the problematic Kerberos client with the key provided from the Kerberos server.
For 4771 (F): Kerberos pre-authentication failed. High-value accounts: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on.
Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
After wasting quite a lot of time with analyzing configuration files and also SELinux I remembered that the cause for this issue can be quite simple. Try to generate a Kerberos ticket using kinit when receiving error messages like this – it is possible that the password simply expired:
key encryption type "aes256-cts" might not be configured in your krb setup
simply delete keytab file and recreate one without "aes256-cts" encryption by using above steps
ktutil: addent -password -p [email protected] -k 1 -e rc4-hmac
Password for [email protected]: [enter your password]
ktutil: wkt user.keytab
ktutil: quit
or
delete "aes256-cts" encription from the keytab file by following the steps on the link I added above.
and finally execute:
(user@server [~])$ kinit [email protected] -k -t user.keytab
you wont see any error this time and your ticket will be created
71
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With