GSS-API win2k/unix need help!

Rick mail at server.net
Tue Feb 26 11:41:47 EST 2002 

"Marc Horowitz" <marc at mit.edu> wrote in message
news:t53n0xxavrq.fsf at horowitz-m1.mit.edu...
> "Rick" <mail at server.net> writes:
>
> >> On unix
> >> 1. ktutil
> >> 2. rkt unix1.keytab
> >> 3. list
> >> 4. wkt /etc/krb5.keytab
> >> 5. q
>
> Is there a reason you did all this instead of "cp"?

Basically this is what the MS document outlined.  Not being familiar with
Kerberos I can only presume ktutil does more than just merge keytabs.  Based
on your post it seems as if that's not the case.


> >> To try to get it to work in my NT machine I basically did the same
thing.
> >>
> >> On kdc:
> >> 1. ktpass -princ tsample/host1.d1.com at D1.COM -mapuser test -pass
> >> testpass -out test.keytab
> >> 2. transfer keytab to windows computer.
> >>
> >> There doesn't seem to be a ktutil.exe on windows.
>
> What do you think you need ktutil for?

Please see above.


> >> I presume I need to get a
> >> ticket for 'tsample'.  I tried kinit  -k -t krb5.keytab  -S tsample
test.
> >> It didn't work.  Neither did several other variations.
>
> Why are you giving kinit the -S flag?  I do not think it does what you
> think it does.  For that matter, why are you using a keytab at all?
> It's much easier to create a normal user principal and use kinit to
> get tickets.  If you must use a keytab, the correct invocatrion is
> "kinit -k -t keytabfile tsample/host1.d1.com at D1.COM".  Of course, the
> last argument should be the actual principal name of the key you want
> to use.

If I do as you say it will change the default principal name.  Due to time
restrictions I haven't been able to gain a greater understanding of how most
of this works but I think what I want is to get a service ticket (sample)
for a specified principal (user).  For example in Unix, after I run the
gss-api sample program klist produces this.

default principal: user at D1.COM

krbtgt/D1.COM at D1.COM
sample/host2.d1.com at D1.COM
sample/host2.d1.com at D1.COM

BTW.  The names are different than above because I'm using different
keytabs, service names, etc. between unix tests and windows tests.

The way I read this is that the principal named 'user' has three tickets.
One tgt and two tickets for 'sample'.  Not sure why there are two for
'sample' but that's not horribly important to me right now.  Is that not
correct?

Ultimately the application will use 'rcmd' to auth the sender but just to
see how all this fits together I'm using 'sample'

Thank you for any help.




> >> The gss-server sample fails with
> >> GSS-API error acquiring credentials: Miscellaneous failure
> >> GSS-API error acquiring credentials: No such file or directory
>
> The server would fail this way because it can't find the keytab file.
> I don't know where win3k is looking for it, but you should figure this
> out, and purt the keytab there.

I checked source code.  First it checks env table, then
'default_keytab_name' in 'libdefaults'.   On windows, if all else fails, it
will go to windows direction (\winnt).  I just used krb5.conf and it finds
the file now.  However, I now get another error message.

GSS-API error acquiring credentials: Miscellaneous failure
GSS-API error acquiring credentials: No principal in keytab matches desired
name



> Finally, for testing the gss-sample client,
>
>                 Marc

More information about the Kerberos mailing list