[krbdev.mit.edu #2550] Problems with ms2mit.exe and aklog.exe with KFW 2.6.1 and OpenAFS

Jeffrey Altman jaltman at columbia.edu
Sun May 2 22:40:39 EDT 2004 

RC4-HMAC is a supported type and it can be successfully used to
obtain a DES-CBC-CRC Kerberos 5 afs/cellname at REALM or afs at REALM
ticket for use in converting to a token.

Run aklog.exe with the -d option and report the actual error.

Leash and aklog share slightly different code bases for obtaining tokens.
However, they are roughly equivalent.

""Lantzer at MIT.EDU wrote:

>The ms2mit.exe package included with KFW 2.6.1 loads a TGT into the MIT
>credentials cache that has an encryption type of arcfour-hmac, after
>logging into a Windows XP system joined to a Windows 2000 native mode
>domain. The aklog.exe included with KFW 2.6.1 does not seem to be able
>to use a TGT with this encryption type. I noticed in the ms2mit.exe
>source code that the code was changed to use the TGT from the Microsoft
>credentials cache if the encryption type was a supported type, and that
>arcfour-hmac was listed as a supported type. If aklog.exe cannot be used
>with an arcfour-hmac encryption type, then perhaps the ms2mit.exe code
>should check the krb5.ini file for requested encryption types and
>attempt to acquire a TGT with a requested encryption type if one isn't
>returned from the Microsoft credentials cache.
>
>I am able to use leash32.exe from KFW 2.6.1 to get AFS tokens, but it
>does not work when I try to use ms2mit.exe and aklog.exe from KFW 2.6.1.
>
>The following is an edited log of my attempt to use aklog.exe with
>ms2mit.exe from KFW 2.6.1:
>
>C:\>ms2mit
>
>C:\>klist -e
>Ticket cache: API:krb5cc
>Default principal: userid at REALM
>
>Valid starting     Expires            Service principal
>04/29/04 17:58:02  05/29/04 17:58:02  krbtgt/REALM at REALM
>        renew until 05/29/04 17:58:02, Etype (skey, tkt): ArcFour with
>HMAC/md5,
> ArcFour with HMAC/md5
>
>
>Kerberos 4 ticket cache: API:krb4cc
>klist: No ticket file (tf_util)
>
>C:\>aklog -d
>Authenticating to cell CELL.
>Getting v5 tickets: afs/CELL at REALM
>Kerberos error code returned by get_cred: -1765328184
>aklog: Couldn't get umr.edu AFS tickets:
>
>C:\>
>
>
>>From a web search:
>
>-1765328184: Invalid KDC option combination (library internal error) 
>
>
>I also have problems when trying to use kinit.exe and aklog.exe from KFW
>2.6.1. I did not have this problem with KFW 2.6-beta9.
>
>The following is an edited log of my attempt to use aklog.exe with
>kinit.exe from KFW 2.6.1:
>
>C:\>kinit -5
>Password for userid at REALM:
>
>C:\>klist -e
>Ticket cache: API:krb5cc
>Default principal: userid at REALM
>
>Valid starting     Expires            Service principal
>04/29/04 18:21:57  04/30/04 04:21:57  krbtgt/REALM at REALM
>        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
>CRC-32
>
>
>Kerberos 4 ticket cache: API:krb4cc
>klist: No ticket file (tf_util)
>
>C:\>aklog -d
>Authenticating to cell umr.edu.
>Getting v5 tickets: afs/CELL at REALM
>Set username to userid
>Getting tokens.
>aklog: unable to obtain tokens for cell CELL (status: 11862786).
>
>C:\>
>
>>From a web search:
>
>KTC_INVAL        11862786 /* an invalid argument was passed in */
>
>Ryan Lantzer
>
>_______________________________________________
>krb5-bugs mailing list
>krb5-bugs at mit.edu
>https://mailman.mit.edu/mailman/listinfo/krb5-bugs
>

More information about the krb5-bugs mailing list