Hello Jochen,
here are the trace information. I d not have much experience with Kerberos, maybe you can
see a reason?
KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab
HTTP/servername(a)domain.local
[8639] 1531391993.35803: Getting initial credentials for HTTP/servername(a)domain.local
[8639] 1531391993.36009: Looked up etypes in keytab: aes256-cts
[8639] 1531391993.36071: Sending request (196 bytes) to domain.local
[8639] 1531391993.36099: Resolving hostname kerberos.domain.local
[8639] 1531391993.36411: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391994.37505: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.47972: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391994.59194: Received answer (209 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391994.59365: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.123891: Response was not from master KDC
[8639] 1531391994.124071: Received error from KDC: -1765328359/Additional
pre-authentication required
[8639] 1531391994.124163: Processing preauth types: 16, 15, 19, 2
[8639] 1531391994.124216: Selected etype info: etype aes256-cts, salt
"DOMAIN.LOCALHTTPservername", params ""
[8639] 1531391994.124325: Retrieving HTTP/servername(a)domain.local from
FILE:/etc/keytab/servername.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[8639] 1531391994.124420: AS key obtained for encrypted timestamp: aes256-cts/3C17
[8639] 1531391994.124492: Encrypted timestamp (for 1531391993.432619): plain
301AA011180F32303138303731323130333935335AA10502030699EB, encrypted
1AB1CF23868718D3F7DCCB375E7B5C09655FE360088E5877846A9E84E7CCFD424496D15486173B0A8DE54FB12C394A9481BC9DFDCD5A032E
[8639] 1531391994.124544: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[8639] 1531391994.124572: Produced preauth for next request: 2
[8639] 1531391994.124622: Sending request (276 bytes) to domain.local
[8639] 1531391994.124690: Resolving hostname kerberos.domain.local
[8639] 1531391994.124813: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391995.125972: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.136487: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391995.147521: Received answer (176 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391995.147682: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.178245: Response was not from master KDC
[8639] 1531391995.178431: Received error from KDC: -1765328360/Preauthentication failed
[8639] 1531391995.178507: Preauth tryagain input types: 16, 15, 19, 2
[8639] 1531391995.178569: Getting initial credentials for HTTP/servername(a)domain.local
[8639] 1531391995.178667: Looked up etypes in keytab: aes256-cts
[8639] 1531391995.178731: Sending request (196 bytes) to domain.local (master)
kinit: Preauthentication failed while getting initial credentials
domain.local is the Name of the domain
Kerberos.domain.local is a Active Directory Server Kerberos is enabled
servername is the server the application is installed
Thanks
"Matthias Müller" <matthiasmueller07 at web.de> writes:
I added the necessary fields in the ldap configuration before.
Realm: local.domain
Principal: HTTP/server.name at local.domain
Keytab: /etc/keytab/servername.keytab
Ok.
local.domain and server.name are place holder for the original
settings.
The following message is shown with kinit and kvno:
kinit: Preauthentication failed while getting initial credentials
No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name
That's bad. My system has:
[root at saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root at saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org at
EXAMPLE.ORG
Valid starting Expires Service principal
08.07.2018 22:09:40 09.07.2018 22:09:40
krbtgt/EXAMPLE.ORG at
EXAMPLE.ORG
Until that works you don't need to look at anyhing else.
Please try:
KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/server.name at
local.domain
When I read the keytab file with klist the output is:
0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)
That date looks fishy.
[root at saml keycloak]# klist -k keycloak.keytab
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/saml.example.org at
EXAMPLE.ORG
1 HTTP/saml.example.org at
EXAMPLE.ORG
1 HTTP/saml.example.org at
EXAMPLE.ORG
1 HTTP/saml.example.org at
EXAMPLE.ORG
Can you please move the discussion back to the keycloak list? Thanks.
Jochen
--
This space is intentionally left blank.