You are viewing a plain text version of this content. The canonical link for it is here.
Posted to kerby@directory.apache.org by Shobhit Mehta <sh...@gmail.com> on 2019/03/20 20:24:04 UTC

krb5kdc pre-auth error on FreeIPA using kerby-client

Hello,

I'm new to kerbrose and trying to use kerby-client(2.0.0) with FreeIPA. My
krb5.conf is
[libdefaults]
  dns_lookup_realm = true
  dns_lookup_kdc = true
  kdc_realm = <myrealm>
  kdc_host = <myhost>
  kdc_udp_port = 88

Below is my relevant client snippet
  KrbConfig krbConfig = new KrbConfig();
  krbConfig.addKrb5Config(new File(krb5.conf));
  KrbClient client = new KrbClient(krbConfig);
  client.init();
  TgtTicket tgt = client.requestTgt(username, password);

but I'm getting following pre-auth error on requestTgt call above.
  Mar 20, 2019 4:10:51 PM org.apache.kerby.kerberos.kerb.client.ClientUtil
getKDCList
  WARNING: Cannot get kdc for realm <myrealm>
  Mar 20, 2019 4:10:52 PM org.apache.kerby.kerberos.kerb.client.KrbHandler
onResponseMessage
  INFO: KDC server response with message: Pre-authentication information
was invalid
  Mar 20, 2019 4:10:52 PM org.apache.kerby.kerberos.kerb.client.KrbHandler
onResponseMessage
  INFO: Pre-authentication information was invalid
  org.apache.kerby.kerberos.kerb.KrbException: PREAUTH_FAILED with error
code: KDC_ERR_PREAUTH_FAILED
        at
org.apache.kerby.kerberos.kerb.client.KrbHandler.onResponseMessage(KrbHandler.java:143)
        at
org.apache.kerby.kerberos.kerb.client.impl.DefaultKrbHandler.handleRequest(DefaultKrbHandler.java:47)
        at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.sendIfPossible(DefaultInternalKrbClient.java:118)
        at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequest(DefaultInternalKrbClient.java:81)
        at
org.apache.kerby.kerberos.kerb.client.impl.DefaultInternalKrbClient.doRequestTgt(DefaultInternalKrbClient.java:126)
        at
org.apache.kerby.kerberos.kerb.client.impl.AbstractInternalKrbClient.requestTgt(AbstractInternalKrbClient.java:129)
        at
org.apache.kerby.kerberos.kerb.client.KrbClientBase.requestTgt(KrbClientBase.java:187)
        at
org.apache.kerby.kerberos.kerb.client.KrbClient.requestTgt(KrbClient.java:71)
        at HelloKDC.main(HelloKDC.java:104)

krb5kdc.log on the FreeIPA server has this error
  krb5kdc[2172](info): preauth (encrypted_timestamp) verify failure:
Preauthentication failed
  krb5kdc[2172](info): AS_REQ (3 etypes {18 17 16}) <myhost>:
PREAUTH_FAILED: <username>@<myrealm> for krbtgt/<myrealm>@<myrealm>,
Preauthentication failed


I'm able to successfully connect to this FreeIPA with above krb5.conf using
JAAS but my ultimate goal it to support OTP which JAAS API doesn't seems to
support at this time and hence I'm looking at using kerby-client API as
alternative. Can you help point out what I'm missing and also some pointers
on how to add support for FreeOTP tokens.

Thanks,
Shobhit