With the debugging tools presented above, we’ll run through a few problem scenarios, from the initial symptoms of a problem through to its solution.
Several errors can occur when attempting to obtain an initial Ticket Granting Ticket from a Kerberos KDC. Since there are many ways to obtain a TGT, such as through integrated login with a PAM Kerberos module, the best way to narrow down problems is by using the Unix kinit program manually. This will work even if your KDC is a Windows domain controller, given that the principal you’re testing has been set up for DES encryption (see Chapter 8).
Let’s go through a few examples:
> kinit Password for jgarman@WEDGIE.ORG: kinit(v5): Preauthentication failed while getting initial credentials
If your realm requires pre-authentication (see Chapter 6), then this message is typically just Kerberos-speak for “incorrect password.” Note that Windows domain controllers require pre-authentication by default. Also note that this message can result from a client that does not support the pre-authentication type required by the KDC. However, all of the Kerberos implementations we cover here support the Encrypted Timestamp (PA-ENC-TIMESTAMP) pre-authentication method. Of course, if you are interoperating with a Kerberos implementation that does not support pre-authentication, and your realm requires it, you will have to disable pre-authentication in the KDC policy.
Next, there is a possibility that the ...