本文共 2221 字,大约阅读时间需要 7 分钟。
1. version
[root@station20 ~]# cat /proc/version
Linux version 2.6.18-308.el5xen (mockbuild@x86-010.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Fri Jan 27 17:59:00 EST 2012
[root@station20 ~]#
2. 使用kadmin/kadmin.local增加一个普通用户,然后把这个principal添加到krb5.keytab后发现无法从普通用户切换到这个用户,或是在该用户下执行kinit初始化一个ticket:
[root@station20 ~]# su - nfsuser
[nfsuser@station20 ~]$ su - nfsuser
Password:
su: incorrect password
[nfsuser@station20 ~]$ kinit
Password for nfsuser@STATION20.EXAMPLE.COM:
kinit(v5): Password incorrect while getting initial credentials
[nfsuser@station20 ~]$
3. Google发现如果要使用kerborse密码验证,就不能把使用ktadd这个principal添加到krb5.keytab文件,因为添加到krb5.keytab文件后,该principal会被重置一个随机密码。
4. 解决方法是删掉krb5.keytab文件,然后使用kadmin里面的change_password更改需要密码验证的principal。
REF:
1. Password incorrect while getting initial credentials
http://fixunix.com/kerberos/347314-password-incorrect-while-getting-initial-credentials.html
Re: Password incorrect while getting initial credentials
On Feb 17, 2008 10:10 PM, wrote: > Hello,>> I am receiving a "kint(v5): Password incorrect while getting initial> credentials" error after entering a password in response to a prompt> following a kinit command (kinit user/my.domain@MY.REALM). I know> that I am entering the correct password. The database seems to be> fine; I can get a ticket as root through:> kinit -k -t /etc/krb5.keytab user/my.domain@MY.REALM>> I am wondering if this could have anything to do with a> preauthentication requirement. My KDC.conf has a default principal> flag of +preauth.>> Does this flag require any preliminary steps to authenticate before> (or during) kinit?>> May there be anything else that I am missing?>> Thanks a lot.> If 'user/my.domain@MY.REALM' is the same in both cases, the reason you can't authenticate with a password is because you created the keytab. The act of creating a keytab causes a new random key to be generated and placed in the Kerberos database and into the keytab. There is no password associated with that key and you will only be able to authenticate as that principal using the keytab. If you want to authenticate with a password, do a "cpw" in kadmin for the principal (and do not do a "ktadd").
转载地址:http://nitai.baihongyu.com/