Hi folks,
Maybe I've found a bug in krb5 libs code.
Here is the thing:
When we store user password in keytab with des-cbc-md5 encryption

with "addent -password -p TESTUSERNAME -k 1 -e des-cbc-md5"

we receive error KRB5KDC_ERR_PREAUTH_REQUIRED from the server and
kinit says "Key table entry not found while getting initial credentials".

Also note that in the dump of the client-server conversation there is no
field "padata" in the request.

-------------- Incorrect case --------------------
User Datagram Protocol, Src Port: 46944 (46944), Dst Port: kerberos (88)
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 40000010 (Forwardable, Renewable OK)
        Client Name (Principal): TESTUSERNAME
        Realm: MY.TEST.REALM
        Server Name (Unknown): krbtgt/MY.TEST.REALM
        from: 2008-04-02 07:56:30 (Z)
        till: 2008-04-03 07:56:30 (Z)
        Nonce: 1207122990
        Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

User Datagram Protocol, Src Port: kerberos (88), Dst Port: 46944 (46944)
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2008-04-02 07:55:18 (Z)
    susec: 502936
    error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
    Realm: MY.TEST.REALM
    Server Name (Unknown): krbtgt/MY.TEST.REALM
    e-data

However if we add entry into keytab this way:

"addent -password -p TESTUSERNAME -k 1 -e rc4-hmac"

Then client sends "padata" in the request and the server replies with a valid TGT.

So this is probably a bug in the client code (kinit or krb5 libs), if it is not then
could someone clarify why it works this way?

------------- Normal case --------------------------

User Datagram Protocol, Src Port: 41142 (41142), Dst Port: kerberos (88)
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    padata: PA-ENC-TIMESTAMP
        Type: PA-ENC-TIMESTAMP (2)
            Value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX... rc4-hmac
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 40000010 (Forwardable, Renewable OK)
        Client Name (Principal): TESTUSERNAME
        Realm: MY.TEST.REALM
        Server Name (Unknown): krbtgt/MY.TEST.REALM
        from: 2008-04-02 08:05:01 (Z)
        till: 2008-04-03 08:05:01 (Z)
        Nonce: 1207123501
        Encryption Types: rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

User Datagram Protocol, Src Port: kerberos (88), Dst Port: 41142 (41142)
Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    Client Realm: MY.TEST.REALM
    Client Name (Principal): TESTUSERNAME
    Ticket
    enc-part rc4-hmac




-- 

Best regards,

-------------------------
Igor Mammedov,
niallain "at" gmail.com