On Wed, 23 Sep 2015, Brian J. Murrell wrote:
I've put a kerberos principle into a keytab:
# klist -k asterisk.keytab
Keytab name: FILE:asterisk.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 [email protected]
using:
# ipa-getkeytab -s server.example.com -p asterisk -k /tmp/asterisk-krb5.keytab
-e aes256-cts
But when I try to use that keytab I get an error:
# kinit -k -t /etc/asterisk/asterisk.keytab imap/[email protected]
kinit: Generic preauthentication failure while getting initial credentials
On the server I get the following error:
Sep 23 19:30:39 server.example.com krb5kdc[28970](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) xxxxxx: NEEDED_PREAUTH:
imap/[email protected] for krbtgt/[email protected],
Additional pre-authentication required
Any idea what is going on here?
You need to explain what are you trying to achieve first.
The sequence above:
- Sets a random Kerberos key for a principal named [email protected]
on IPA KDC and stores it to the local keytab file asterisk.keytab
- tries to use a key for [email protected] to obtain ticket granting
ticket as imap/[email protected]
Unless imap/[email protected] has exactly same Kerberos key
as [email protected], the above should fail and it does.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
