service name restrictions in AD? problem with kca_service
Bob.Smart@csiro.au
Bob.Smart at csiro.au
Sun Oct 12 00:36:01 EDT 2003
I am trying to leverage our organizations Active
Directory krb5 system. In particular I'm trying to
get kx509 (http://www.citi.umich.edu/projects/kerb_pki/)
going.
I'm still creating user accounts for services. The
gentleman from Ford who recently asserted that it was
preferable to use computer accounts was unable to
provide the software to do it that way - if anyone
else has software to do that I'd be keen to try it.
The kx509 program talks to the kca service. The service
name "kca_service" is built in to the kx509 program,
but not into kca itself which takes its service name from
its keytab I guess.
So I was very careful to generate 2 accounts and map one
to kca_service/<hostname>@<realm> and the other to just
kca/<hostname>@<realm>. Then run kx509 under the debugger
using the kca_service keytab, then just change the service
to "kca" and restart kca and rerun.
With just kca it worked. With kca_service I got:
get_cert_authent_K5: krb5_mk_req: Server not found in Kerberos database
Try re-authenticating(K5). Unable to use your tickets to build the
necessary authenticator.
However I find this hard to believe since there doesn't seem
to be report of such a problem on the web that I can find.
Bob
More information about the Kerberos
mailing list