kinit request on keytab fails using 2K3sp1 KDC
Douglas E. Engert
deengert at anl.gov
Thu Mar 23 10:03:05 EST 2006
Achim Grolms wrote:
> On Wednesday 22 March 2006 18:19, Tim Alsop wrote:
>
>
>>Alternatively, you can use one of the many tools available that replace
>>the need for ktpass, and use computer accounts for key storage. These
>>tools do not suffer from the same issues as ktpass.
>
>
> What are that tools?
> Can you send searchkeywords or pointers so I can find and use them?
Google for msktutil which will get you to
http://www.pppl.gov/~dperry/mskturil-0.3.16.tar.gz
We are using this.
Goolge for netjoin
This is an update of the MS netjoin.
Samba has some tools, but adds too many principal in many cases.
Something else that can be very helpfull is to use
the Windows mmc with the ADSI edit to lok at the registry.
You can look at the account that was created, and look at the KVNO
as the ms-DS-KeyVersionNumber.
Other interesting fields are the userPrincipalName,
and servicePrincipalName.
Keep in mind that the Windows has a single password that
is used to generate the keys on the fly for each of the
principals (userPrincipalName and servicePrincipalName)
asociated with the account.
Kerberos uses a seperate key for each principal created when the
kettrab is created. So if you change the password on the account,
you have to change the keys in the keytab at the same time for
all the principal assiciated with that account.
Msktutil tries to do this for your.
>
> Thank you,
> Achim
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list