Setting Up a Keytab for a User Fails: "kinit: Password incorrect while getting initial credentials"

I have a cluster of machines running CentOS 7.3. Kerberos, DNS, LDAP, etc. are in use in a unified manner via the use of FreeIPA 4.4.

I have a particular user that runs automated tests. Therefore, this users needs to be able to obtain a Ticket Granting Ticket without password entry. I have tried to accomplish this by creating a keytab and effectively "pre-entering" the password. However, I cannot kinit using the keytab, as shown below.

GET THE KEY VERSION NUMBER (kvno) from the KDC

[ ~]# kadmin.local -q 'get_principal '
Authenticating as principal root/ with password.
Principal:
Expiration date: [never]
Last password change: Mon Jul 16 06:54:59 CDT 2018
Password expiration date: Tue Jul 23 06:54:59 CDT 2019
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Jul 16 06:54:59 CDT 2018 ()
Last successful authentication: Mon Jul 23 11:03:38 CDT 2018
Last failed authentication: Mon Jul 23 14:40:57 CDT 2018
Failed password attempts: 1
Number of keys: 2
Key: vno 3, aes256-cts-hmac-sha1-96:special
Key: vno 3, aes128-cts-hmac-sha1-96:special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

CREATE A KEYTAB, USING THE KVNO FROM ABOVE, ON THE CLIENT MACHINE

$ cd /home/myuser
$ mkdir .krb5
$ chmod 700 .krb5
$ cd /home/myuser/.krb5
$ ktutil
ktutil: addent -password -p -k 3 -e aes256-cts
Password for :
ktutil: list
slot KVNO Principal
---- ---- --------------------------------------------------------------------- 1 1
ktutil: wkt myuser.keytab
ktutil: exit

LIST OUT THE KEYTAB WE JUST CREATED ON THE CLIENT MACHINE

$ klist -kte myuser.keytab
Keytab name: FILE:myuser.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------ 1 07/23/2018 14:33:30 (aes256-cts-hmac-sha1-96)

ATTEMPT TO USE THE KEYTAB ON THE CLIENT MACHINE

$ klist
klist: Credentials cache keyring 'persistent:4866486744:krb_ccache_rGHfj38' not found
$ kinit -k -t /home/myuser/.krb5/myuser.keytab
kinit: Password incorrect while getting initial credentials

Where am I going wrong in setting up the keytab for this user?

1 Answer

I am still unsure why using ktutil on the client did not work, but using kadmin.local on the server does:

kadmin.local
kadmin.local: ktadd -k myuser.keytab -norandkey
kadmin.local: exit

Securely move this file to a secure directory on the client.

On the client, use this keytab file as follows:

kinit -k -t myuser.keytab 

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy