using kinit with a Win2k KDC
Dave Snoopy
kingsnoopy7 at yahoo.com
Mon May 13 15:42:14 EDT 2002
You are a very intelligent man. It worked! Thanks a
million!
--Dave
--- John Brezak <jbrezak at windows.microsoft.com> wrote:
> You need to change the Administrator password at
> least once after DC
> promotion.
>
> Any account that is present before an "upgrade"
> requires that the
> password be changed so that the DES keys are
> generated.
>
> The "administrator" account is created prior to DC
> promotion and because
> of this it is just like an "upgrade" even though the
> domain is new.
>
> -----Original Message-----
> From: Dave Snoopy [mailto:kingsnoopy7 at yahoo.com]
> Sent: Monday, May 13, 2002 12:09 PM
> To: kerberos at mit.edu
> Subject: using kinit with a Win2k KDC
>
> Hi All,
>
> I am using MIT Kerberos 5, and its tool "kinit", to
> try and get a TGT from a Win2k KDC (which is also my
> Primary Domain Controller).
>
> My KDC/PDC is called GEM.MYCOMPANY.COM. I am able to
> get a ticket for any user which I create on Gem
> (e.g.
> kinit testuser at GEM.MYCOMPANY.COM). I'm able to do a
> klist and see my ticket. I've also looked at a
> network
> trace on port 88, and everything seems to go
> smoothly.
>
>
> However, a problem arises when I try to use kinit to
> get a TGT for the special user "administrator", I
> get
> rejected. The error that kinit gives me is:
>
> # kinit administrator at GEM.MYCOMPANY.COM
> kinit(v5): KDC has no support for encryption type
> while getting initial credentials.
>
> I did a network trace on port 88 with Ethereal. The
> conversation between my machine and the KDC looks
> something like this:
>
> 1) Request for "administrator" in realm
> GEM.MYCOMPANY.COM. Encryption types are
> "des-cbc-crc".
>
> 2) Server responds with error
> "KRB5KDC_ERR_PREAUTH_REQUIRED".
>
> 3) Client resends request, this time with
> Pre-Authentication section.
>
> 4) Server responds with error
> "KRB5KDC_ERR_ETYPE_NOSUPP".
>
> I then checked the EventViewer on my PDC, and saw
> this
> error:
>
> Source: KDC
> Description: The account Administrator did not have
> a
> suitable key for generating a Kerberos ticket. If
> the
> encryption type is supported, changing or setting
> the
> password will generate a proper key.
>
> Does anyone know why this should work for all users
> besides administrator? Better yet, does anyone know
> how I can get it to work for administrator? My
> eventual goal is to use OpenLDAP to do some querying
> on the PDC. For this I'll need to authenticate with
> the PDC as "administrator" via LDAP, and will thus
> need a TGT for the administrator user (or so I
> understand).
>
> Thanks,
> Dave
>
> __________________________________________________
> Do You Yahoo!?
> LAUNCH - Your Yahoo! Music Experience
> http://launch.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
More information about the Kerberos
mailing list