GSS-API win2k/unix need help!

Rick mail at server.net
Tue Feb 26 15:19:59 EST 2002 

"Kevin Coffman" <kwc at citi.umich.edu> wrote in message
news:20020226172818.36E4F207C8 at citi.umich.edu...
> >
> > "Marc Horowitz" <marc at mit.edu> wrote in message
> > news:t53n0xxavrq.fsf at horowitz-m1.mit.edu...
> > > "Rick" <mail at server.net> writes:
> > >
> > > >> On unix
> > > >> 1. ktutil
> > > >> 2. rkt unix1.keytab
> > > >> 3. list
> > > >> 4. wkt /etc/krb5.keytab
> > > >> 5. q
> > >
> > > Is there a reason you did all this instead of "cp"?
> >
> > Basically this is what the MS document outlined.  Not being familiar
with
> > Kerberos I can only presume ktutil does more than just merge keytabs.
Based
> > on your post it seems as if that's not the case.
>
>
> If there are no keys already in /etc/krb5.keytab that you care about,
> 'cp' will do the job.  If there are already keys in /etc/krb5.keytab
> and you want to add another key from a different keytab, then the
> 5-step process above is the right way to do it; as ktutil will not
> clobber the existing keys already in /etc/krb5.keytab.
>
>
> > > >> To try to get it to work in my NT machine I basically did the same
> > thing.
> > > >>
> > > >> On kdc:
> > > >> 1. ktpass -princ tsample/host1.d1.com at D1.COM -mapuser test -pass
> > > >> testpass -out test.keytab
> > > >> 2. transfer keytab to windows computer.
> > > >>
> > > >> There doesn't seem to be a ktutil.exe on windows.
> > >
> > > What do you think you need ktutil for?
> >
> > Please see above.
> >
> >
> > > >> I presume I need to get a
> > > >> ticket for 'tsample'.  I tried kinit  -k -t krb5.keytab  -S tsample
> > test.
> > > >> It didn't work.  Neither did several other variations.
> > >
> > > Why are you giving kinit the -S flag?  I do not think it does what you
> > > think it does.  For that matter, why are you using a keytab at all?
> > > It's much easier to create a normal user principal and use kinit to
> > > get tickets.  If you must use a keytab, the correct invocatrion is
> > > "kinit -k -t keytabfile tsample/host1.d1.com at D1.COM".  Of course, the
> > > last argument should be the actual principal name of the key you want
> > > to use.
> >
> > If I do as you say it will change the default principal name.  Due to
time
> > restrictions I haven't been able to gain a greater understanding of how
most
> > of this works but I think what I want is to get a service ticket
(sample)
> > for a specified principal (user).  For example in Unix, after I run the
> > gss-api sample program klist produces this.
> >
> > default principal: user at D1.COM
> >
> > krbtgt/D1.COM at D1.COM
> > sample/host2.d1.com at D1.COM
> > sample/host2.d1.com at D1.COM
> >
> > BTW.  The names are different than above because I'm using different
> > keytabs, service names, etc. between unix tests and windows tests.
> >
> > The way I read this is that the principal named 'user' has three
tickets.
> > One tgt and two tickets for 'sample'.  Not sure why there are two for
> > 'sample' but that's not horribly important to me right now.  Is that not
> > correct?
> >
> > Ultimately the application will use 'rcmd' to auth the sender but just
to
> > see how all this fits together I'm using 'sample'
> >
> > Thank you for any help.
> >
> >
> >
> >
> > > >> The gss-server sample fails with
> > > >> GSS-API error acquiring credentials: Miscellaneous failure
> > > >> GSS-API error acquiring credentials: No such file or directory
> > >
> > > The server would fail this way because it can't find the keytab file.
> > > I don't know where win3k is looking for it, but you should figure this
> > > out, and purt the keytab there.
> >
> > I checked source code.  First it checks env table, then
> > 'default_keytab_name' in 'libdefaults'.   On windows, if all else fails,
it
> > will go to windows direction (\winnt).  I just used krb5.conf and it
finds
> > the file now.  However, I now get another error message.
> >
> > GSS-API error acquiring credentials: Miscellaneous failure
> > GSS-API error acquiring credentials: No principal in keytab matches
desired
> > name
>
>
> Are you invoking the server with the correct service_name that matches
> the principal whose key is in the keytab?

I'm invoking the server with 'tsample'.

I created the keytab with
ktpass -princ tsample/user.d1.com at D1.COM -mapuser test -pass password -out
test.keytab

I copied test.keytab to the file specified in the krb5.conf file
(winnt\krb5.keytab) then did a kinit as 'test'.

What's the relationship between the service_name and a principal?



Thanks for the help.


> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list