GSS-API win2k/unix need help!

Kevin Coffman kwc at citi.umich.edu
Tue Feb 26 12:28:17 EST 2002


> 
> "Marc Horowitz" <marc at mit.edu> wrote in message
> news:t53n0xxavrq.fsf at horowitz-m1.mit.edu...
> > "Rick" <mail at server.net> writes:
> >
> > >> On unix
> > >> 1. ktutil
> > >> 2. rkt unix1.keytab
> > >> 3. list
> > >> 4. wkt /etc/krb5.keytab
> > >> 5. q
> >
> > Is there a reason you did all this instead of "cp"?
> 
> Basically this is what the MS document outlined.  Not being familiar with
> Kerberos I can only presume ktutil does more than just merge keytabs.  Based
> on your post it seems as if that's not the case.


If there are no keys already in /etc/krb5.keytab that you care about,
'cp' will do the job.  If there are already keys in /etc/krb5.keytab
and you want to add another key from a different keytab, then the
5-step process above is the right way to do it; as ktutil will not
clobber the existing keys already in /etc/krb5.keytab.


> > >> To try to get it to work in my NT machine I basically did the same
> thing.
> > >>
> > >> On kdc:
> > >> 1. ktpass -princ tsample/host1.d1.com at D1.COM -mapuser test -pass
> > >> testpass -out test.keytab
> > >> 2. transfer keytab to windows computer.
> > >>
> > >> There doesn't seem to be a ktutil.exe on windows.
> >
> > What do you think you need ktutil for?
> 
> Please see above.
> 
> 
> > >> I presume I need to get a
> > >> ticket for 'tsample'.  I tried kinit  -k -t krb5.keytab  -S tsample
> test.
> > >> It didn't work.  Neither did several other variations.
> >
> > Why are you giving kinit the -S flag?  I do not think it does what you
> > think it does.  For that matter, why are you using a keytab at all?
> > It's much easier to create a normal user principal and use kinit to
> > get tickets.  If you must use a keytab, the correct invocatrion is
> > "kinit -k -t keytabfile tsample/host1.d1.com at D1.COM".  Of course, the
> > last argument should be the actual principal name of the key you want
> > to use.
> 
> If I do as you say it will change the default principal name.  Due to time
> restrictions I haven't been able to gain a greater understanding of how most
> of this works but I think what I want is to get a service ticket (sample)
> for a specified principal (user).  For example in Unix, after I run the
> gss-api sample program klist produces this.
> 
> default principal: user at D1.COM
> 
> krbtgt/D1.COM at D1.COM
> sample/host2.d1.com at D1.COM
> sample/host2.d1.com at D1.COM
> 
> BTW.  The names are different than above because I'm using different
> keytabs, service names, etc. between unix tests and windows tests.
> 
> The way I read this is that the principal named 'user' has three tickets.
> One tgt and two tickets for 'sample'.  Not sure why there are two for
> 'sample' but that's not horribly important to me right now.  Is that not
> correct?
> 
> Ultimately the application will use 'rcmd' to auth the sender but just to
> see how all this fits together I'm using 'sample'
> 
> Thank you for any help.
> 
> 
> 
> 
> > >> The gss-server sample fails with
> > >> GSS-API error acquiring credentials: Miscellaneous failure
> > >> GSS-API error acquiring credentials: No such file or directory
> >
> > The server would fail this way because it can't find the keytab file.
> > I don't know where win3k is looking for it, but you should figure this
> > out, and purt the keytab there.
> 
> I checked source code.  First it checks env table, then
> 'default_keytab_name' in 'libdefaults'.   On windows, if all else fails, it
> will go to windows direction (\winnt).  I just used krb5.conf and it finds
> the file now.  However, I now get another error message.
> 
> GSS-API error acquiring credentials: Miscellaneous failure
> GSS-API error acquiring credentials: No principal in keytab matches desired
> name


Are you invoking the server with the correct service_name that matches
the principal whose key is in the keytab?




More information about the Kerberos mailing list