HPE Community
Operating System - HP-UX
1825783 Members
2021 Online
109687 Solutions
New Discussion

Kerberos keytab does not work (KDC = W2k3 R2)

 
SOLVED
Go to solution
TEC-HP
Frequent Advisor

‎10-14-2005 03:33 AM

‎10-14-2005 03:33 AM

Kerberos keytab does not work (KDC = W2k3 R2)


First we create a keytab for the TUUUT user on the Microsoft KDC:
C:\Documents and Settings\Administrator.AX0107>ktpass -out tuuut.keytab -princ host/TUUUT@R2-W2K3.NET -pass * -mapuser TUUUT
Targeting domain controller: AX0107.R2-W2K3.NET
Failed to set property "servicePrincipalName" to "host/TUUUT" on Dn "CN=TUUUT,OU=UNIX,DC=R2-BGC,DC=NET": 0x14.
WARNING: Unable to set SPN mapping data.
If TUUUT already has an SPN mapping installed for host/TUUUT, this is no cause for concern.
Key created.
Output keytab to tuuut.keytab:
Keytab version: 0x502
keysize 50 host/TUUUT@R2-W2K3.NET ptype 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x3 (DES-CBC-MD5) keylength 8 (0x4fd3e343ef0e7f85)
Account TUUUT has been set for DES-only encryption.

Check on the KDC if the SPN has been set:
C:\Documents and Settings\Administrator.AX0107>setspn -l TUUUT
Registered ServicePrincipalNames for CN=TUUUT,OU=UNIX,DC=R2-BGC,DC=NET:
host/TUUUT@R2-W2K3.NET
host/TUUUT

The keytab is transferred to TUUUT and krb5.keytab is created (ktutil):

root@TUUUT:/etc# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- --------------------------------------------------------------------------
1 12 host/TUUUT@R2-W2K3.NET

Testing the keytab with kinit:
root@TUUUT:/etc# kinit -k
kinit: Client not found in Kerberos database while getting initial credentials
root@TUUUT:/etc# echo $?
1
root@TUUUT:/etc# kinit -k -t /etc/krb5.keytab
kinit: Client not found in Kerberos database while getting initial credentials
root@TUUUT:/etc# echo $?
1

OK this fails, but what about:
root@TUUUT:/etc# kinit -k host/TUUUT@R2-W2K3.NET
root@TUUUT:/etc# echo $?
0
root@TUUUT:/etc# kinit -k host/TUUUT
root@TUUUT:/etc# echo $?
0


Que?? …feeling quite stupid
0 Kudos
3 REPLIES 3
Kiran Kumar M
Advisor

‎10-25-2005 05:47 PM

‎10-25-2005 05:47 PM

Solution

Re: Kerberos keytab does not work (KDC = W2k3 R2)

If no principal name is specified for the -k option of kinit, then kinit will generate a principal of type "host/@REALM". Typically the host name will be of the type: host.dnsdomain.com, so my guess is kinit is trying to get a ticket for host/TUUUT..com@R2-W2K3.NET
instead of host/TUUUT@R2-W2K3.NET, that you are expecting. You can check the logs in the windows box to verify this.
0 Kudos
TEC-HP
Frequent Advisor

‎11-15-2005 05:46 PM

‎11-15-2005 05:46 PM

Re: Kerberos keytab does not work (KDC = W2k3 R2)

Kiran,
sorry for the late reply. As with much problems: rtfm : I've should have done this better.
We have 2 different domains: one for the unix boxes and one for the msft boxes: both are resolveing each other. I was hard relying on the resolving mechanism: when creating the keytab: need to use the FQDN

Thanx for your time and reply
0 Kudos
TEC-HP
Frequent Advisor

‎11-15-2005 05:49 PM

‎11-15-2005 05:49 PM

Re: Kerberos keytab does not work (KDC = W2k3 R2)

bottom line creating keytab: use the FQDN for the host
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.