-
Title
"KRB5KDC_ERR_PREAUTH_REQUIRED" causing join to fail -
Description
While attempting to do a vastool join, the join fails with the following error:
vas_id_establish_cred_keytab: keytab establish cred for HELLO$@ONE.PROD failed,
err = VAS_ERR_KRB5: Failed to obtain credentials. Keytab: /etc/opt/quest/vas/host.keytab, Client: HELLO$@ONE.PROD, Service:
krbtgt/ONE.PROD@W2K.FEICO.COM, Server: w2k3-dc-r2-64.one.prod
Caused by:
KRB5KDC_ERR_PREAUTH_REQUIRED (-1765328359): Additional pre-authentication required
2007-08-06 14:28:48: vasadmin_computer_join: Could not get cred for HELLO$@ONE.PROD, failed for some reason.
2007-08-06 14:28:48: _ld_age: Found ld associated with w2k3-dc-r2-64.one.prod with age exceeding 0 seconds.
2007-08-06 14:28:48: _ld_free: Closing ld associated with: w2k3-dc-r2-64.one.prod.
Failed
ERROR: Unable to join computer object -
Cause
This is commonly caused by having an older or modified vas.conf file already on the system which has the default_etypes set to use des-cbc-crc keys instead of arcfour-hmac-md5.
root@hello:~# more /etc/opt/quest/vas/vas.conf
[libdefaults]
default_realm = ONE.PROD
ticket_lifetime = 36000
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_types = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
Running the following vastool command to view the content of the /etc/opt/quest/vas/host.keytab file, will show that all keys are of the type arcfour-hmac-md5
root@hello:~# vastool ktutil list
/etc/opt/quest/vas/host.keytab:
Vno Type Principal
11 arcfour-hmac-md5 host/hello.one.prod@ONE.PROD
11 arcfour-hmac-md5 HELLO$@ONE.PROD
11 arcfour-hmac-md5 cifs/hello.one.prod@ONE.PROD
11 arcfour-hmac-md5 host/HELLO@ONE.PROD -
Resolution
The default setup for [libdefaults] for Quest Authentication Services (QAS/VAS) is as follows:
[libdefaults]
default_realm = ONE.PROD
ticket_lifetime = 36000
default_keytab_name = /etc/opt/quest/vas/host.keytab
default_etypes = arcfour-hmac-md5
default_etypes_des = des-cbc-crc
To force creation of DES keys in the keytab for older (server-side) applications that do not support RC4 encryption. The following example shows how the administrator user would generate DES keys in the host.keytab when setting the password for the computer account:
# vastool -u administrator passwd -e -r host/
Which produces the following results in the /etc/opt/quest/vas/host.keytab:
root@hello:/home/jhurst/workspace/VAS3.2.0# vastool ktutil list
/etc/opt/quest/vas/host.keytab:
Vno Type Principal
11 arcfour-hmac-md5 host/hello.one.prod@ONE.PROD
11 arcfour-hmac-md5 HELLO$@ONE.PROD
11 arcfour-hmac-md5 cifs/hello.one.prod@ONE.PROD
11 arcfour-hmac-md5 host/HELLO@ONE.PROD
12 arcfour-hmac-md5 HELLO$@ONE.PROD
12 arcfour-hmac-md5 host/hello.one.prod@ONE.PROD
12 arcfour-hmac-md5 cifs/hello.one.prod@ONE.PROD
12 arcfour-hmac-md5 host/HELLO@ONE.PROD
12 des-cbc-crc HELLO$@ONE.PROD
12 des-cbc-crc host/hello.one.prod@ONE.PROD
12 des-cbc-crc cifs/hello.one.prod@ONE.PROD
12 des-cbc-crc host/HELLO@ONE.PROD
12 des-cbc-md5 HELLO$@ONE.PROD
12 des-cbc-md5 host/hello.one.prod@ONE.PROD
12 des-cbc-md5 cifs/hello.one.prod@ONE.PROD
12 des-cbc-md5 host/HELLO@ONE.PROD -
Additional Information
For more information about using DES keys with VAS please read the VAS man pages.