You are viewing a plain text version of this content. The canonical link for it is here.
Posted to kerby@directory.apache.org by Shobhit Mehta <sh...@gmail.com> on 2019/03/20 20:24:04 UTC
krb5kdc pre-auth error on FreeIPA using kerby-client
Hello,
I'm new to kerbrose and trying to use kerby-client(2.0.0) with FreeIPA. My
krb5.conf is
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
kdc_realm = <myrealm>
kdc_host = <myhost>
kdc_udp_port = 88
Below is my relevant client snippet
KrbConfig krbConfig = new KrbConfig();
krbConfig.addKrb5Config(new File(krb5.conf));
KrbClient client = new KrbClient(krbConfig);
client.init();
TgtTicket tgt = client.requestTgt(username, password);
but I'm getting following pre-auth error on requestTgt call above.
Mar 20, 2019 4:10:51 PM org.apache.kerby.kerberos.kerb.client.ClientUtil
getKDCList
WARNING: Cannot get kdc for realm <myrealm>
Mar 20, 2019 4:10:52 PM org.apache.kerby.kerberos.kerb.client.KrbHandler
onResponseMessage
INFO: KDC server response with message: Pre-authentication information
was invalid
Mar 20, 2019 4:10:52 PM org.apache.kerby.kerberos.kerb.client.KrbHandler
onResponseMessage
INFO: Pre-authentication information was invalid
org.apache.kerby.kerberos.kerb.KrbException: PREAUTH_FAILED with error
code: KDC_ERR_PREAUTH_FAILED
at
org.apache.kerby.kerberos.kerb.client.KrbHandler.onResponseMessage(KrbHandler.java:143)
at
org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(DefaultKrbHandler.java:47)
at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.sendIfPossible(DefaultInternalKrbClient.java:118)
at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequest(DefaultInternalKrbClient.java:81)
at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestTgt(DefaultInternalKrbClient.java:126)
at
org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestTgt(AbstractInternalKrbClient.java:129)
at
org.apache.kerby.kerberos.kerb.client.KrbClientBase.requestTgt(KrbClientBase.java:187)
at
org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgt(KrbClient.java:71)
at HelloKDC.main(HelloKDC.java:104)
krb5kdc.log on the FreeIPA server has this error
krb5kdc[2172](info): preauth (encrypted_timestamp) verify failure:
Preauthentication failed
krb5kdc[2172](info): AS_REQ (3 etypes {18 17 16}) <myhost>:
PREAUTH_FAILED: <username>@<myrealm> for krbtgt/<myrealm>@<myrealm>,
Preauthentication failed
I'm able to successfully connect to this FreeIPA with above krb5.conf using
JAAS but my ultimate goal it to support OTP which JAAS API doesn't seems to
support at this time and hence I'm looking at using kerby-client API as
alternative. Can you help point out what I'm missing and also some pointers
on how to add support for FreeOTP tokens.
Thanks,
Shobhit