Hello, actually we faced to simililar problems with the kinit. And I did't know what was the root cause for couple of months. Finally we found a solution which helped but we are still not quite sure if we are using it the right way
Ok, so in our there is a service account named e.g. "xxxadmin", using it we generated keytabs and SPN In our first attempt (which was not working) we generated the keytab as following: *Ktpass princ HTTP/[email protected]<host/[email protected]>mapuser xxxadmin -pass password out generated.keytab * With this kind of keytab installed in the Cas host we got the same error with Kerberos. (Pre-authentication required) For sure it was in the CAS log, not sure if also with kinit command. What we just changed so the Spnego is working was the principal name in the ktpass.exe and in the Spnego configuration to be "*xxxadmin*@our.company.realm" instead of "HTTP/[email protected]" So keytab creation was changed this way: *Ktpass princ <host/[email protected]>**xxxadmin*<host/[email protected]> *@OUR.COMPANY.REALM <host/[email protected]> mapuser xxxadmin -pass password out generated.keytab* Second thing was creation of SPN (which is done under xxxadmin AD account): setspn.exe -A * HTTP/CAS.SERVER.URL <host/[email protected]> xxxadmin * Now we are using same princ "*xxxadmin*@our.company.realm" and a single keytab for plenty of our CAS servers runnifn on different hosts We are just adding new SPNs for each host under xxxadmin account I am not really sure whether i ssuch apporach correct. Maybe somebody can shed some ligth here what can be the problem with the principal names and keytabs here.... I am not sure if this can help you, but at least you can try .. ;) If you need, you can send me more details about your configuration of /etc/ktb5.conf and keytab generation, etc BR.Lukas 2011/10/14 Dave <[email protected]> > A follow up on this. I've found that it was working from the command line > because I was running the test through the kinit tool in the JDK 1.5u12 and > the application uses JDK 1.6u26. I got our system admins to install the > krb5-client package and now when I run the kinit tool it's hitting the > correct JDK. And as such I'm getting an error trying to run it. > > > ead@casap01txdu:/usr/java> kinit > Password for HTTP/[email protected]: > kinit(v5): Preauthentication failed while getting initial credentials > > So doing a little googling I see this: > > > http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html#kinit_2 > This happens when a user's principal has the "requires_preauth" flag and > either one of three things occurs: > > - They enter their password incorrectly > - They only have an AFS salted key in the KDC database. This will cause a > "file not found" error in the KDC logs. > - The clock skew on the system they are on is too large. This will be > indicated in the KDC logs. > > > I don't think it's a password thing because I can get it to work with JDK > 1.5. I also don't think it's a clock skew problem because we have the > default 5 minute skew and we're well within those parameters. That leaves > an AFS slated key? > > Has anyone run into this before? > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
