Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

problem generating keytab with HTTP SPN

avatar
Rising Star

hello cloudera community,

 

we are trying to create a keytab with the main one:

 

"HTTP/hostname@DOMAIN.LOCAL"

 

with the command:

 

ktpass -princ HTTP/hostname@DOMAIN.LOCAL -mapuser livy-http -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass password2022 -target domain.local -out c:\temp\livy-http.keytab

 

but I try to validate the ticket with this keytab returns the error:

 

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid

 

KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more

 

yagoaparecidoti_0-1661193823116.png

 

this user "livy-http" is already created in AD and with the SPN "HTTP/hostname@DOMAIN.LOCAL" attached to it

 

what are we doing wrong?

20 REPLIES 20

avatar
Rising Star

hi @JQUIROS 

 

the command to create the entry was:

 

add_entry -password -p HTTP/hostname@DOMAIN.LOCAL -k 1 -e rc4-hmac

 

then export the keytab with the command:

 

wkt http.keytab

 

and then to validate the tiker the command:

 

KRB5_TRACE=/dev/stdout kinit -kt http.keytab HTTP/hostname@DOMAIN.LOCAL

 

presented the error:

 

Getting initial credentials for HTTP/hostname@DOMAIN.LOCALLooked up etypes in keytab: rc4-hmac
Sending unauthenticated request
Sending request (237 bytes) to DOMAIN.LOCAL
Sending initial UDP request to dgram 172.22.22.22:88
Received answer (229 bytes) from dgram 172.22.22.22:88
Response was from master KDC
Received error from KDC: -1765328359/Additional pre-authentication required
Preauthenticating using KDC method data
Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
Selected etype info: etype rc4-hmac, salt "", params ""
Retrieving HTTP/hostname@DOMAIN.LOCAL from FILE:http.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
AS key obtained for encrypted timestamp: rc4-hmac/20C1
Encrypted timestamp (for 1661441475.76781): plain 301AA011199992303232BED, encrypted 3625254347B405C2739999992C5C50F451C0A477AE3AD421DF
Preauth module encrypted_timestamp (2) (real) returned: 0/Success
Produced preauth for next request: PA-ENC-TIMESTAMP (2)
Sending request (313 bytes) to DOMAIN.LOCAL
Sending initial UDP request to dgram 172.22.22.22:88
Received answer (196 bytes) from dgram 172.22.22.22:88
Response was from master KDC
Received error from KDC: -1765328360/Preauthentication failed
Preauthenticating using KDC method data
Processing preauth types: PA-ETYPE-INFO2 (19)
Selected etype info: etype rc4-hmac, salt "", params ""
kinit: Preauthentication failed while getting initial credentials

avatar
Cloudera Employee

We need to reach out the AD support, the response is coming from the AD 

Response was from master KDC

Received error from KDC: -1765328360/Preauthentication failed
Preauthenticating using KDC method data
Processing preauth types: PA-ETYPE-INFO2 (19)
Selected etype info: etype rc4-hmac, salt "", params ""
kinit: Preauthentication failed while getting initial credentials

[0] Reference: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/ae60c948-fda8-45c2-b1d1-a71b484...

avatar
Super Guru

@yagoaparecidoti 

 

What do you need the keytab with the HTTP principal for?

 

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Rising Star

avatar
Super Guru

@yagoaparecidoti ,

 

The problem is that to generate a keytab for any principal you need to know the password for that principal. The HTTP/hostname principal probably already exists in your AD and has some unknown password. Without knowing that you would have to reset the principal password to be able to create a keytab for it. And if you reset its password you will invalidate any keytabs that already exist for that principal that other services may be using.

 

Cheers,

André

 

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Rising Star

hi @araujo 

 

the ad has two users:

 

livy

livy-http

 

the user livy has the SPN:

 

livy/hostname@DOMAIN.LOCAL

 

and it is working without problem in kinit

 

the user livy-http has the SPN:

 

HTTP/hostname@DOMAIN.LOCAL

 

but it is showing the error described above

 

avatar
Super Guru

@yagoaparecidoti ,

 

Do you know the passwords for the users livy and livy-http? Can you manually kinit with those 2 users from the command line?

Can you also check in AD what's the value for userPrincipalName property of those two users and share it here?

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Rising Star

hi @araujo 

 

yes, we know the passwords, because we created these two users from scratch

 

before creating the keytabs for the two users, we managed to kinit the two users without problem "kinit user", after creating the keytabs for the two users, kinit only works with the keytab, but it only works on the livy user, when we try to run kinit in livy-http user keytab displays the error "kinit: Preauthentication failed while getting initial credentials"

 

the userprincipalname of each user is:

 

livy:
livy/hostname_livy_server@DOMAIN.LOCAL

 

livy-http:
HTTP/hostname_livy_server@DOMAIN.LOCAL

avatar
Super Guru

The names you listed are the servicePrincipalName. These are different from the userPrincipalName. Could you please check the latter and let me know what they are?

 

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Super Guru

Could you please run the kinit commands for both accounts and share a screenshot showing the command line and the output?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.