kinit failed to authenticate against Active Directory on W2K8

This document (7005039) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Server 10 Service Pack 2

Situation

SLED or SLES System can join Windows 2008 Active Directory (AD) without problem.
But an attempt to authenticate with kinit does not succeed..

Here is an output's example of an unsuccessful kinit command:

# kinit -V -k -t /etc/krb5.keytab 'LQT0001$'
kinit(v5): Key table entry not found while getting initial credentials)

A network capture does also show the error_code "KRB5KDC_ERR_PREAUTH_REQUIRED"

Resolution

When kinit is called with the -k [<keytab>] option, it is required that the key for this enctype is available in the keytab. In the situation above, the used enctype is aes256-cts-hmac-sha1-96 as it is on top of the list of supported enctypes sent to the ADS (Active Directory Server); but this key is not present in the keytab.

To solve this issue, there are the following options:

Disable the aes key for this machine account on the Windows Server.
Change the krb5.conf and set
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.