Why password becomes incorrect after generating keytab in Kerberos?

Question

In my Kerberos system:

1. run kinit test and input passwd, succeed.
2. generate keytab by kadmin.local -q "xst -k test.keytab test".

3. run kinit test and input passwd, failed:

   kinit: Password incorrect while getting initial credentials
   

4. run kinit -k -t test.keytab test, succeed.

Is this normal ? If not, what are possible reasons?

Thanks.

Answer 1

I found that the attribute krbLastPwdChange(a timestamp value) in kerberos's database changed after I run:

kadmin.local -q "xst -k test.keytab test"

While add the option -norandkey will just create the keytab without changing password:

kadmin.local -q "xst -norandkey -k test.keytab test"

I can not find the detail document about kadmin xst.

Answer 2

This is by design. You cannot have both a password and a keytab in Kerberos. The reason is if both were enabled, if someone was able to pull a keytab on your behalf or was in possession of a copy of your keytab, then they could masquerade as you and you would never know it. They would be able to generate a TGT via kinit.

By pulling a keytab, the password is invalidated, so if you then tried to log in with a password, you would get an error. And even if you didn't know exactly what was going on, if you reset your password, it would invalidate the keytab.

Answer 3

For one simple reason:

kinit tells you that the client has not been found in the database, right? By default, when kinit is invoked with a keytab it uses the default server pricipal to obtain TGT. In your case host/<hostname>@REALM but your keytab contains a key for principal test@REALM.

I had this issue too until I have asked the MIT Kereros mailing list.