using kinit with a Win2k KDC

John Brezak jbrezak at windows.microsoft.com
Mon May 13 15:27:58 EDT 2002 

You need to change the Administrator password at least once after DC
promotion.

Any account that is present before an "upgrade" requires that the
password be changed so that the DES keys are generated.

The "administrator" account is created prior to DC promotion and because
of this it is just like an "upgrade" even though the domain is new.

-----Original Message-----
From: Dave Snoopy [mailto:kingsnoopy7 at yahoo.com] 
Sent: Monday, May 13, 2002 12:09 PM
To: kerberos at mit.edu
Subject: using kinit with a Win2k KDC

Hi All,

I am using MIT Kerberos 5, and its tool "kinit", to
try and get a TGT from a Win2k KDC (which is also my
Primary Domain Controller).

My KDC/PDC is called GEM.MYCOMPANY.COM. I am able to
get a ticket for any user which I create on Gem (e.g.
kinit testuser at GEM.MYCOMPANY.COM). I'm able to do a
klist and see my ticket. I've also looked at a network
trace on port 88, and everything seems to go smoothly.


However, a problem arises when I try to use kinit to
get a TGT for the special user "administrator", I get
rejected. The error that kinit gives me is:

# kinit administrator at GEM.MYCOMPANY.COM
kinit(v5): KDC has no support for encryption type
while getting initial credentials.

I did a network trace on port 88 with Ethereal. The
conversation between my machine and the KDC looks
something like this:

1) Request for "administrator" in realm
GEM.MYCOMPANY.COM. Encryption types are "des-cbc-crc".

2) Server responds with error
"KRB5KDC_ERR_PREAUTH_REQUIRED".

3) Client resends request, this time with
Pre-Authentication section.

4) Server responds with error
"KRB5KDC_ERR_ETYPE_NOSUPP".

I then checked the EventViewer on my PDC, and saw this
error:

Source: KDC
Description: The account Administrator did not have a
suitable key for generating a Kerberos ticket. If the
encryption type is supported, changing or setting the
password will generate a proper key.

Does anyone know why this should work for all users
besides administrator? Better yet, does anyone know
how I can get it to work for administrator? My
eventual goal is to use OpenLDAP to do some querying
on the PDC. For this I'll need to authenticate with
the PDC as "administrator" via LDAP, and will thus
need a TGT for the administrator user (or so I
understand).

Thanks,
Dave

__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list