Thursday, December 24, 2015

why did kinit throw error "Preauthentication failed while getting initial credentials"?

While executed following command :

#kinit -k -t /root/utilscripts/nsupdateuser.keytab

it threw error:

kinit: Preauthentication failed while getting initial credentials

Solution: Password of user may be wrong, Try to reset and test again.

Why did kinit throw error "KDC reply did not match expectations while getting initial credentials"


While executing following command:

#kinit username@MYDOMAIN.COM -k -t username.keytab

it threw error :

kinit: KDC reply did not match expectations while getting initial credentials

Solution : 

user doesn't have remote access to the machine. 

How to manage kerberos keytab file?

1. Use klist to display the keytab file entries:

klist -e -k -t  mykeytabfile.keytab
or klist -ekt nsupdateuser.ktab
or type command:

#ktutil     # execute this command
ktutil:     # this prompt will appear
ktutil: read_kt /etc/apache2/http.keytab   #read keytab file
ktuilt: list                             #list all princples


[root@customer-prod-util-101 utilscripts]# klist -e -k -t  nsupdateuser.ktab
Keytab name: FILE:nsupdateuser.ktab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 09/08/15 21:50:45 (aes256-cts-hmac-sha1-96)
[root@customer-prod-util-101 utilscripts]#

2. Following is an example of the keytab file creation process using kerberos method :

  > ktutil
  ktutil:  addent -password -p -k 1 -e rc4-hmac
  Password for [enter your password]
  ktutil:  addent -password -p -k 1 -e aes256-cts
  Password for [enter your password]
  ktutil:  wkt username.keytab
  ktutil:  quit

Following is an example using Heimdal Kerberos:

> ktutil -k username.keytab add -p -e arcfour-hmac-md5 -V 1

3. Obtain a ticket-granting ticket using the keytab for testing:

You can check that the keytab contains the appropriate encryption key by attempting to use it to obtain a ticket-granting ticket. This can be done using the kinit command:

#kinit -k -t /etc/nsupdateuser.keytab    # here nsupdate is username exiting in AD. this has privileges to update dns records on win DNS.
#klist                <#will show if ticket is created or not

example :

[root@customer-prod-util-101 ~]#  kinit -k -t /root/utilscripts/nsupdateuser.ktab nsupdate   # uses default domain
[root@customer-prod-util-101 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:

Valid starting     Expires            Service principal
12/24/15 05:29:49  12/24/15 15:29:49  krbtgt/
        renew until 12/31/15 05:29:49
[root@customer-prod-util-101 ~]#

   Or try to login to test if keytab file works :

Test with out keytab file:

#kinit username@MYDOMAIN.COM
password>     // pass password of username

Test with keytab file:

#kinit username@MYDOMAIN.COM -k -t username.keytab

4. Using a keytab to authenticate scripts:

To execute a script so it has valid Kerberos credentials, use:

  > kinit -k -t mykeytab; myscript

list out principle :

ktutil:  rkt nsupdateuser.ktab
ktuilt: list

5. Merging keytab files:

> ktutil
  ktutil: read_kt mykeytab-1
  ktutil: read_kt mykeytab-2
  ktutil: read_kt mykeytab-3
  ktutil: write_kt krb5.keytab
  ktutil: quit

6. Delete principle:

ktutil: rkt
ktuilt: list
ktutil: delete_entry slot-number
ktuilt: wkt
ktuilt: quit

7. Destroy cached ticket:

kdestroy -A  //all cache will be destroyed
kdestroy -C  //this cache will be deleted only

#kdestroy -c "FILE:/tmp/krb5cc_0"