Active directory and Kerberos for unix authentication error

Hello,

I'm trying to debug from many days a problem without success. Simply I've a DC running Windows 2003 Std R2 SP2 acting as kdc and I've to authentication from a Linux client.

On Domain controller I've created a user (username blathapp ), flagged the "Use DES Encryptation".

Setup SPN:

setspn -A blauthapp/app1 blauthapp

Exported keytab

ktpass -out blauthapp.keytab -princ blauthapp/app1@xxxxxxxxxx -mapuser blauthapp@xxxxxxxxxx +rndPass -minPass 33 -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5

keytab is created, zipped, and copied on Linux client. Unzipped. Check md5 and CRC.

Now run:
[root@itsm-bl1 ~]# kinit -k -t /tmp/blauthapp.keytab blauthapp/app1@xxxxxxxxxx
kinit(v5): Preauthentication failed while getting initial credentials


/etc/krb5.conf looks like as
[root@itsm-bl1 ~]# cat /etc/krb5.conf
[libdefaults]
ticket_lifetime = 6000
default_realm = INET.LOCAL
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = dec-cbc-md5

[realms]
INET.LOCAL = {
kdc = addc-mi02.INET.LOCAL:88
}

[domain_realm]
..inet.local = INET.LOCAL
inet.local = INET.LOCAL

Clocked are syncronized. Windows KDC reports:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 21/12/2007
Time: 11.50.45
User: NT AUTHORITY\SYSTEM
Computer: ADDC-MI02
Description:
Pre-authentication failed:
User Name: blauthapp
User ID: INET\blauthapp
Service Name: krbtgt/INET.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: CLIENTIPADDR

All seems to be related to a passwortd...but whicih password?
ktpass.exe is version: 5.2.3790.1830

ktutil said me:

ktutil: rkt /tmp/blauthapp.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 blauthapp/app1@xxxxxxxxxx


Also, using kerberos tools on windows, on the same domain controller, running kinit generate the same error. If password is generated when keytab is created and that keytab is used directly in the DC can't have a wrong password!


Any hints?
Thanks
Stefano
.

Relevant Pages

  • Re: Active directory and Kerberos for unix authentication error
    ... just create the account and then use KTPASS as that will also configure BOTH the userprincipalname as the serviceprincipalname. ... Simply I've a DC running Windows 2003 Std R2 SP2 acting as kdc and I've to authentication from a Linux client. ... keytab is created, zipped, and copied on Linux client. ...
    (microsoft.public.windows.server.active_directory)
  • Re: authentic man in the middle
    ... key management of the Windows Domain. ... We have an issue with generating a valid keytab for windows based ... which we need to authenticate the client in AP_REQ on linux machine. ... The exchange of long term keys for service between service and KDC ...
    (comp.protocols.kerberos)
  • [Fwd: Re: authentic man in the middle]
    ... key management of the Windows Domain. ... We have an issue with generating a valid keytab for windows based ... which we need to authenticate the client in AP_REQ on linux machine. ... The exchange of long term keys for service between service and KDC ...
    (comp.protocols.kerberos)
  • keytab for windows based services
    ... We have an issue with generating a valid keytab for windows based ... The exchange of long term keys for service between service and KDC ... long term service key for the service which is not communicated back ...
    (microsoft.public.security)
  • keytab for windows based services
    ... Being a newbie for windows forums, Pardon me for posting this under ... We have an issue with generating a valid keytab for windows based ... The exchange of long term keys for service between service and KDC ... long term service key for the service which is not communicated back ...
    (microsoft.public.win2000.security)