Kerberos - kinit

1 - About

kinit is an utility that permits to get tickets and then to verify that the Kerberos configuration is good and that the authentication is working.

3 - Getting Started

3.1 - Own username

kinit assumes you want tickets for your own username in your default realm.

kinit
Password for gerard@HOTITEM.LOCAL: 
New ticket is stored in cache file C:\Users\gerard\krb5cc_gerard

3.2 - Someone else

A friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm.

kinit david@HOTITEM.LOCAL
Password for [email protected]: 

3.3 - With a keytab file

Kerberos - KeyTab

kinit -V -k -t exalytics-01.keytab HTTP/exalytics-01.hotitem.local
Authenticated to Kerberos v5

4 - Operating Ssstem

4.1 - Linux

/usr/kerberos/bin/kinit

4.2 - Windows

>where kinit
C:\Program Files\Java\jdk1.8.0_05\bin\kinit.exe

Usage:

>kinit -help
Usage: kinit [-A] [-f] [-p] [-c cachename] [[-k [-t keytab_file_name]] [principal] [password]
        available options to Kerberos 5 ticket request:
            -A   do not include addresses
            -f   forwardable
            -p   proxiable
            -c   cache name (i.e., FILE:\d:\myProfiles\mykrb5cache)
            -k   use keytab
            -t   keytab file name
            principal   the principal name (i.e., [email protected] qweadf)
            password   the principal's Kerberos password

where:

5 - Support

5.1 - KDC has no support for encryption type

Generally the error “KDC has no support for encryption type” has nothing to do with the encryption type itself but with access to the credentials (ie bad domain controller host, …). It's a very misleading error message.

5.2 - Key table entry not found

“Key table entry not found” means that the client presented a service ticket whose contents don't match anything in the server's keytab file.

In this scenario the most likely reason is that:

  • you didn't regenerate the keytab file after enabling an enctypes.
  • the entry is not in the keytab file
security/kerberos/kinit.txt · Last modified: 2018/05/15 16:49 by gerardnico