Здравствуйте.Есть проблема получения билета kerberos администратора домена admin@MY.DOM через файл keytab.
Сначала я добавил ключ для admin в keytab c помощью ktutil
выполнив
root@servfripa:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: addent -password -p admin@MY.DOM -k 1 -e aes256-cts
после этого ввел по запросу пароль
затем я сохранил его в файле /etc/krb5.keytab
root@servfripa:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/servfripa.my.dom@MY.DOM
2 1 admin@MY.DOM
ktutil: rkt /etc/krb5.keytab
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/servfripa.my.dom@MY.DOM (aes256-cts-hmac-sha1-96)
2 1 admin@MY.DOM (aes256-cts-hmac-sha1-96)
ktutil:
Проблема в следующем.
что когда я делаю
и ввожу пароль вручную я получаю билет
Но если я делаю
то получаю ошибку
kinit: Preauthentication failed while getting initial credentials
не могу понять в чем делу так как когда заводил запись в keytab я ввел правильный пароль тк он очень простой для теста
вот подробный вывод
root@servfripa:~# KRB5_TRACE="/dev/stdout" kinit -f admin@MY.DOM -k
[2350] 1626851868.893962: Getting initial credentials for admin@MY.DOM
[2350] 1626851868.903866: Looked up etypes in keytab: aes256-cts
[2350] 1626851868.904208: Sending request (159 bytes) to MY.DOM
[2350] 1626851868.904791: Initiating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.905166: Sending TCP request to stream 192.168.0.20:88
[2350] 1626851868.911604: Received answer (284 bytes) from stream 192.168.0.20:88
[2350] 1626851868.911656: Terminating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.911899: Response was from master KDC
[2350] 1626851868.912014: Received error from KDC: -1765328359/Additional pre-authentication required
[2350] 1626851868.912099: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[2350] 1626851868.912114: Selected etype info: etype aes256-cts, salt "ZuWWT&U'8N#Hh\F<", params ""
[2350] 1626851868.912157: Received cookie: MIT
[2350] 1626851868.912183: PKINIT client has no configured identity; giving up
[2350] 1626851868.912255: Preauth module pkinit (147) (info) returned: 0/Success
[2350] 1626851868.912298: PKINIT client has no configured identity; giving up
[2350] 1626851868.912313: Preauth module pkinit (16) (real) returned: 22/Недопустимый аргумент
[2350] 1626851868.912326: PKINIT client has no configured identity; giving up
[2350] 1626851868.912334: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент
[2350] 1626851868.912347: PKINIT client has no configured identity; giving up
[2350] 1626851868.912356: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент
[2350] 1626851868.912434: Retrieving admin@MY.DOM from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Succ
ess
[2350] 1626851868.912489: AS key obtained for encrypted timestamp: aes256-cts/1735
[2350] 1626851868.912588: Encrypted timestamp (for 1626851868.911708): plain 301AA011180F32303231303732313037313734385AA1050
2030DE95C, encrypted 61DB80C38CB72434C69FD73CD4CC642F16B20299A928E67E3FBD8DAEEC449304F08FE5CEF9AA5E3129A18E141B678192E341086
C5A722FEC
[2350] 1626851868.912607: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[2350] 1626851868.912614: Produced preauth for next request: 133, 2
[2350] 1626851868.912632: Sending request (252 bytes) to MY.DOM
[2350] 1626851868.912736: Initiating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.912926: Sending TCP request to stream 192.168.0.20:88
[2350] 1626851868.922303: Received answer (284 bytes) from stream 192.168.0.20:88
[2350] 1626851868.922353: Terminating TCP connection to stream 192.168.0.20:88
[2350] 1626851868.922463: Response was from master KDC
[2350] 1626851868.922635: Received error from KDC: -1765328360/Preauthentication failed
[2350] 1626851868.922667: Preauth tryagain input types: 16, 14, 14, 136, 19, 147, 2, 133
kinit: Preauthentication failed while getting initial credentials
root@servfripa:~#
что может быть не так?