Undefined What were you trying to do that didn't work?
On IPA server, Kerberos ticket cannot be obtained with:
kinit -kt KDB: user@EXAMPLE.COM
Quote from to man kinit:
On a KDC, the special keytab location KDB: can be used to indicate that kinit should open the KDC database and look up the key directly.
Please provide the package NVR for which bug is seen:
krb5-workstation-1.21.1-1.el9.x86_64
ipa-server-4.11.0-15.el9_4.x86_64
How reproducible:
Always
Steps to reproduce
- KRB5_TRACE=/dev/stderr kinit -V -kt KDB: user@EXAMPLE.COM
- klist
Expected results
Kerberos ticket can be obtained:
Valid starting Expires Service principal 08/08/24 12:18:04 11/08/24 12:18:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Actual results
...
[1364923] 1723083616.747867: Retrieving user@EXAMPLE.COM from KDB: (vno 0, enctype aes256-cts) with result: -1765328203/Key table entry not found
[1364923] 1723083616.747868: Preauth module spake (151) (real) returned: -1765328203/Key table entry not found
[1364923] 1723083616.747869: Retrieving user@EXAMPLE.COM from KDB: (vno 0, enctype aes256-cts) with result: -1765328203/Key table entry not found
[1364923] 1723083616.747870: Preauth module encrypted_timestamp (2) (real) returned: -1765328203/Key table entry not found
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Additional Info
While we cannot get the ticket for user principal using KDB: , yet following service principal work:
host/host.example.com@EXAMPLE.COM
HTTP/host.example.com@EXAMPLE.COM
ldap/host.example.com@EXAMPLE.COM
- is documented by
-
RHELDOCS-18785 Document no support for "KDB:" kinit credentials provider with IPA
-
- New
-
