search

jcmturner / gokrb5

Pure Go Kerberos library for clients and services
Apache License 2.0
717 stars 243 forks source link

Creating a keytabFile for FreeIPA #537

Open Denis-shl opened 6 months ago

Denis-shl commented 6 months ago

Hello!

I am using the function

func gen()(err error, keytabFileByte []byte){
var (
    kt = key.New()
    ts = time.Now()
        kvno = 10
        password  = "test" 
        encryption = "aes256-cts-hmac-sha1-96"
)

    et := etypeID.EtypeSupported(strings.ToLower(encryption))
    err = kt.AddEntry("User", "EXAMPLE.COM", password, ts, kvno, et)
    if err != nil {
        return  err, keytabFileByte
    }

    keytabFileByte, err := kt.Marshal()
    if err != nil {
        return  err, keytabFileByte
    }
}

I get kvno using the kvno console utility. The password has been verified using kinit.

The file was saved to disk. Executing the command (kinit -k -t kt.key principal). I get an error: (kinit: Preauthentication failed while getting initial credentials)

Why can't I generate a valid keytabFile?

My krb5.conf 
[libdefaults]
    default_realm = EXAMPLE.COM
    ticket_lifetime = 100m
[realms]
    EXAMPLE.COM = {
            kdc = ipa.example.com:88
            admin_server = ipa.example.com:464
        }
[domain_realm]
     .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM
meoww-bot commented 1 month ago

hello, i have same issue, have u solve this problem?

meoww-bot commented 1 month ago

I know the reason why we got the error, KDC enabled 'preauth' flag, only the key in KDC can be authed (check the KVNO via kadmin.local -q 'getprinc User') but kt.AddEntry("User", "EXAMPLE.COM", password, ts, kvno, et) way generate key from password, not go through preauth