Running a kinit as below fails:
[root@system ~]# kinit -k
kinit: Preauthentication failed while getting initial credentials
One possible reason for this is a duplicate SPN in two AD computer objects.
When this occurs since the samaccountname is right, and Safeguard Authentication Services (SAS) defaults to that SAS works (vastool kinit).
It is only the system ( MIT ) kinit that uses the real SPN that has an issue, since there was the duplication of SPN, but not SAM, in AD.
The kinit fails because it looks at the other computer object account and it has a different password.
To check for duplicates the following can be run:
VAS=/opt/quest/bin/vastool ; for spn in `$VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf "\nDuplicated ServicePrincipalName: $spn\n"; $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done
If duplicates are found remove both computer objects and rejoin the system to the domain.