9

This is something I have faced and I found the solution. since there wasn't any question about it, I will post it as a question and I will write my solution as the answer.

Environment:

  • OS: Centos Linux, MacOS (Big Sur)
  • Cluster: Cloudera Hadoop Distribution,
  • Tool: Kerberos

Problem:

I created "user.keytab" file by "ktutil" to renew the krb ticket without password as it was recommended in here https://kb.iu.edu/d/aumh

ktutil:  addent -password -p user@DOMAIN.LOCAL -k 1 -e rc4-hmac
Password for user@DOMAIN.LOCAL: [enter your password]
ktutil:  addent -password -p user@DOMAIN.LOCAL -k 1 -e aes256-cts
Password for user@DOMAIN.LOCAL: [enter your password]
ktutil:  wkt user.keytab
ktutil:  quit

then testing end up with exception

(user@server [~])$ kinit user@DOMAIN.LOCAL -k -t user.keytab
kinit: Preauthentication failed while getting initial credentials
Stefan
  • 1,697
  • 15
  • 31
Alper t. Turker
  • 34,230
  • 9
  • 83
  • 115
  • 5
    @jww what's the point of a Kerberos tag if not for questions like this? I'd argue it absolutely is relevant. Look at some of the "related" questions - many are highly upvoted and often fairly theoretical. – Ben Watson Apr 18 '18 at 10:09
  • This kind of question is really a gray area, it falls in between the lines of development and system administration in my view. Question could fall into either category. Anyway, looking forward to the answer. – T-Heron Apr 18 '18 at 11:27
  • @Ben - In theory, the Kerberos tag is for programming and development question related to Kerberos, like configuring, make'ing, fixing bugs, implementing a new signature algorithm, etc. But it would not be the first time a tag became a dumping ground on Stack Overflow. – jww Apr 18 '18 at 19:31

1 Answers1

16

Cause:

key encryption type "aes256-cts" might not be configured in your krb setup

Solution

simply delete keytab file and recreate one without "aes256-cts" encryption by using above steps

ktutil:  addent -password -p user@DOMAIN.LOCAL -k 1 -e rc4-hmac
Password for user@DOMAIN.LOCAL: [enter your password]
ktutil:  wkt user.keytab
ktutil:  quit

or

delete "aes256-cts" encription from the keytab file by following the steps on the link I added above.

and finally execute:

(user@server [~])$ kinit user@DOMAIN.LOCAL -k -t user.keytab

you wont see any error this time and your ticket will be created

zero323
  • 322,348
  • 103
  • 959
  • 935
Alper t. Turker
  • 34,230
  • 9
  • 83
  • 115
  • 1
    Please mark your answer as accepted. – T-Heron Jun 18 '18 at 09:58
  • In my case issue has been fixed after using the salt option in ktutil. Below is the steps which i used to fix the issue. [user@rhel8server ~]$ ktutil ktutil: addent -password -p USER@DOMAIN.EXAMPLE -k 0 -e aes256-cts -s "DOMAIN.EXAMPLEUSER" Password for USER@DOMAIN.EXAMPLE: ktutil: wkt /home/user/kerberos/user.keytab ktutil: exit – Namasivayam Chinnapillai Feb 15 '23 at 07:09