service name restrictions in AD? problem with kca_service

Bob.Smart@csiro.au Bob.Smart at csiro.au
Sun Oct 12 00:36:01 EDT 2003


I am trying to leverage our organizations Active 
Directory krb5 system. In particular I'm trying to 
get kx509 (http://www.citi.umich.edu/projects/kerb_pki/)
going.

I'm still creating user accounts for services. The 
gentleman from Ford who recently asserted that it was 
preferable to use computer accounts was unable to 
provide the software to do it that way - if anyone 
else has software to do that I'd be keen to try it.

The kx509 program talks to the kca service. The service 
name "kca_service" is built in to the kx509 program, 
but not into kca itself which takes its service name from 
its keytab I guess.

So I was very careful to generate 2 accounts and map one 
to kca_service/<hostname>@<realm> and the other to just 
kca/<hostname>@<realm>. Then run kx509 under the debugger 
using the kca_service keytab, then just change the service 
to "kca" and restart kca and rerun.

With just kca it worked. With kca_service I got:

  get_cert_authent_K5: krb5_mk_req: Server not found in Kerberos database
  Try re-authenticating(K5).  Unable to use your tickets to build the
necessary authenticator.

However I find this hard to believe since there doesn't seem 
to be report of such a problem on the web that I can find.

Bob


More information about the Kerberos mailing list