On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman <[email protected]> wrote: > > >>>>> "Michael" == Michael B Allen <[email protected]> writes: > > Michael> Hi Ken, > > Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream > Michael> are 1.21 but the KRB5_TRACE feature was introduced in 1.9. > > Last time I checked, 1.21 > 1.9.
Good point and, after some fiddling, it does indeed work and would have revealed the issue: $ KRB5_TRACE=trace.txt kinit -k -t java31.keytab '[email protected]' kinit: Pre-authentication failed: Invalid argument while getting initial credentials $ cat trace.txt 850878: Matching [email protected] in collection with result: 0/Success 850879: Getting initial credentials for [email protected] 850880: Found entries for [email protected] in keytab: aes128-cts 850882: Sending unauthenticated request 850883: Sending request (189 bytes) to GOGO.LOCO 850884: Resolving hostname dc1.gogo.loco 850885: Sending initial UDP request to dgram 10.11.12.22:88 850886: Received answer (185 bytes) from dgram 10.11.12.22:88 850887: Response was from primary KDC 850888: Received error from KDC: -1765328359/Additional pre-authentication required 850891: Preauthenticating using KDC method data 850892: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) 850893: Selected etype info: etype aes256-cts, salt "GOGO.LOCOhostjava31.gogo.loco", params "" 850894: PKINIT client has no configured identity; giving up 850895: PKINIT client has no configured identity; giving up 850896: Preauth module pkinit (16) (real) returned: 22/Invalid argument 850897: Retrieving [email protected] from FILE:java31.keytab (vno 0, enctype aes256-cts) with result: -1765328203/No key table entry found for [email protected] 850898: Preauth module encrypted_timestamp (2) (real) returned: -1765328203/No key table entry found for [email protected] Second to last line is pretty clear. Kinit was looking for an aes256-cts key but the keytab only had an aes128-cts entry. Mike -- Michael B Allen Java AD DS Integration https://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
