question Re: kinit: Preauthentication failed while getting initial credentials in Support Questions

kinit: Preauthentication failed while getting initial credentials

tableau — Wed, 06 Aug 2025 06:14:11 GMT

I cloned a cdp 7.3.1-1 one node that is kerb enabled, to connect to a kdc server in a different domain.

During the kerberos wizard, I choose "Administration" | "security" | "Kerberos Credentials" | "Import KDC Account Manager Credentials", and put in valid username and password, then I get "kinit: Preauthentication failed while getting initial credentials"

the same user name / pwd pair, I can do kinit xx@TEST.LAN, and get valid results from klist. So I know the credential is good. I have validated on the AD server, use delegation wizard to give add, modify delete rights to the user xx.

If I run Generate Missing Credentials, I see "SIMPLE_PWD_STR='-x -D cloudera@old kdc server -w REDACTED'", and this refers to the old kdc server.
So I need to know how to change the setting on ldaps and how I can solve the issue with kinit: Preauthentication failed while getting initial credentials

Re: kinit: Preauthentication failed while getting initial credentials

Sean464 — Wed, 06 Aug 2025 08:20:22 GMT

Hello @tableau,

If pre-authentication is failing despite using the correct credentials, it’s possible that the issue is due to a mismatch in the letter-case of the username. Specifically, the username provided may not match the userPrincipalAttribute value (typically userPrincipalName) in Active Directory.

When AES encryption types are used, Active Directory derives the key salt by concatenating the realm name with the username, and this process is case-sensitive. Therefore, any mismatch in letter-case can lead to authentication failure.

To verify the correct casing of the userPrincipalAttribute for the KDC admin user, you can run the following ldapsearch command:

ldapsearch -v -H ldaps://{LDAP_URL}:636 -D 'xx@TEST.LAN' -W -b '{SEARCHBASE}' userPrincipalName="xx@TEST.LAN"

Once confirmed, use the exact same letter-case when importing the KDC account manager credentials under:

Administration → Security → Kerberos Credentials → Import KDC Account Manager Credentials

Additionally, if the old KDC details still appear during the 'Generate Missing Credentials' operation, please ensure the new KDC is correctly configured under:

Administration → Security → Kerberos Credentials → Setup KDC for this Cloudera Manager

Let me know if any further clarification is needed.

Re: kinit: Preauthentication failed while getting initial credentials

VidyaSargur — Fri, 22 Aug 2025 05:43:54 GMT

@tableau, Did the response assist in resolving your query? If it did, please mark the relevant reply as the solution, as it will help others locate the answer more easily in the future.