Search code examples
ldapkerberoskeytab

kinit: Preauthentication failed while getting initial credentials

I have a bash for create keytab file:

#!/bin/bash
 
user="username"
pass="password"
 
printf "%b" "add_entry -password -p [email protected] -k 1 -e aes128-cts-hmac-sha1-96\n$pass\nadd_entry -password -p [email protected] -k 1 -e aes256-cts-hmac-sha1-96\n$pass\nadd_entry -password -p [email protected] -k 1 -e arcfour-hmac-md5-exp\n$pass\nadd_entry -password -p [email protected] -k 1 -e des3-cbc-sha1\n$pass\nadd_entry -password -p [email protected] -k 1 -e des-cbc-md5\n$pass\nwrite_kt $user.keytab" | ktutil

but can not connect to ldap server with this error:

kinit: Preauthentication failed while getting initial credentials

when I use kinit -V $user it is okey and I try to create keytab from command line multi time but I get same error with keytab login

Solution

  • The aes128 and aes256 ciphersuites in Kerberos use salted PBKDF2 to derive the key from password. When you kinit with a password, the salt is retrieved from the KDC, but when you manually create keytab a default name+realm salt is used – which will work most of the time, but will not work if the user account has been renamed as then its existing keys will still use the old salt (based on its old name), at least until a password change.

    To deal with that possibility, use the -f option to add_entry – it will make ktutil do an AS-REQ and get the correct salt from the KDC, the same way kinit does:

    add_entry -password -p [email protected] -k 1 -e aes128-cts-hmac-sha1-96 -f

    (arcfour-hmac does not use a salt; it deals with straight NTLM hashes, so it doesn't have this problem – but on the other hand, arcfour-hmac is another name for RC4, and these days you probably shouldn't be using it.

    I don't remember what kind of salt des3 and des ciphersuites use, but I really doubt you need either of those – Windows doesn't support des3 at all, only des, and single-DES is crackable in hours so you don't want to use it either. Still, either way, the -f option will do the correct thing for all ciphersuites.)

    Instead of having a massive printf, use a << heredoc:

    ktutil <<EOF
add_entry -password -p [email protected] -k 1 -e aes128-cts-hmac-sha1-96 -f
$pass
add_entry -password -p [email protected] -k 1 -e aes256-cts-hmac-sha1-96 -f
$pass
write_kt $user.keytab
EOF

    Alternatively, instead of a single command, you can use { } or ( ) to pipe multiple command outputs at once:

    {
    for etype in {aes128,aes256}-cts-hmac-sha1-96; do
        echo "add_entry -password -p [email protected] -k 1 -e $etype -f"
        echo "$pass"
    done
    echo "write_kt $user.keytab"
} | ktutil