GSS-API win2k/unix need help!
Kevin Coffman
kwc at citi.umich.edu
Tue Feb 26 12:28:17 EST 2002
>
> "Marc Horowitz" <marc at mit.edu> wrote in message
> news:t53n0xxavrq.fsf at horowitz-m1.mit.edu...
> > "Rick" <mail at server.net> writes:
> >
> > >> On unix
> > >> 1. ktutil
> > >> 2. rkt unix1.keytab
> > >> 3. list
> > >> 4. wkt /etc/krb5.keytab
> > >> 5. q
> >
> > Is there a reason you did all this instead of "cp"?
>
> Basically this is what the MS document outlined. Not being familiar with
> Kerberos I can only presume ktutil does more than just merge keytabs. Based
> on your post it seems as if that's not the case.
If there are no keys already in /etc/krb5.keytab that you care about,
'cp' will do the job. If there are already keys in /etc/krb5.keytab
and you want to add another key from a different keytab, then the
5-step process above is the right way to do it; as ktutil will not
clobber the existing keys already in /etc/krb5.keytab.
> > >> To try to get it to work in my NT machine I basically did the same
> thing.
> > >>
> > >> On kdc:
> > >> 1. ktpass -princ tsample/host1.d1.com at D1.COM -mapuser test -pass
> > >> testpass -out test.keytab
> > >> 2. transfer keytab to windows computer.
> > >>
> > >> There doesn't seem to be a ktutil.exe on windows.
> >
> > What do you think you need ktutil for?
>
> Please see above.
>
>
> > >> I presume I need to get a
> > >> ticket for 'tsample'. I tried kinit -k -t krb5.keytab -S tsample
> test.
> > >> It didn't work. Neither did several other variations.
> >
> > Why are you giving kinit the -S flag? I do not think it does what you
> > think it does. For that matter, why are you using a keytab at all?
> > It's much easier to create a normal user principal and use kinit to
> > get tickets. If you must use a keytab, the correct invocatrion is
> > "kinit -k -t keytabfile tsample/host1.d1.com at D1.COM". Of course, the
> > last argument should be the actual principal name of the key you want
> > to use.
>
> If I do as you say it will change the default principal name. Due to time
> restrictions I haven't been able to gain a greater understanding of how most
> of this works but I think what I want is to get a service ticket (sample)
> for a specified principal (user). For example in Unix, after I run the
> gss-api sample program klist produces this.
>
> default principal: user at D1.COM
>
> krbtgt/D1.COM at D1.COM
> sample/host2.d1.com at D1.COM
> sample/host2.d1.com at D1.COM
>
> BTW. The names are different than above because I'm using different
> keytabs, service names, etc. between unix tests and windows tests.
>
> The way I read this is that the principal named 'user' has three tickets.
> One tgt and two tickets for 'sample'. Not sure why there are two for
> 'sample' but that's not horribly important to me right now. Is that not
> correct?
>
> Ultimately the application will use 'rcmd' to auth the sender but just to
> see how all this fits together I'm using 'sample'
>
> Thank you for any help.
>
>
>
>
> > >> The gss-server sample fails with
> > >> GSS-API error acquiring credentials: Miscellaneous failure
> > >> GSS-API error acquiring credentials: No such file or directory
> >
> > The server would fail this way because it can't find the keytab file.
> > I don't know where win3k is looking for it, but you should figure this
> > out, and purt the keytab there.
>
> I checked source code. First it checks env table, then
> 'default_keytab_name' in 'libdefaults'. On windows, if all else fails, it
> will go to windows direction (\winnt). I just used krb5.conf and it finds
> the file now. However, I now get another error message.
>
> GSS-API error acquiring credentials: Miscellaneous failure
> GSS-API error acquiring credentials: No principal in keytab matches desired
> name
Are you invoking the server with the correct service_name that matches
the principal whose key is in the keytab?
More information about the Kerberos
mailing list