netjoin with windows 2003 Server???

Doug Lamoureux dougl at hp.com
Mon Apr 5 13:30:43 EDT 2004 

Has any one been able to use the netjoin tool on Unix (HP-UX in my case)
(source from MS:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/kerberossamp.asp) 

to create a computer account and keytab file with a Windows 2003 Server?

I'm able to create the account, and the keytab file is created, but when
I use the keytab file to authenticate as the "host" principal (using
kinit) it fails.  However if I use the random password generated for the
account I can successfully execute kinit:

# netjoin -D ACME.COM -s win2k3.acme.com hpatcux8.acme.com
Creating host account for hpatcux8.acme.com at ACME.COM
..
Key length is 8
Host password "+DjlDvd7iUhnqKOLs" key  (0x076819dc320b132f)
default keytab name - "WRFILE:/tmp/hpatcux8.keytab"
Saving key version 1 in WRFILE:/tmp/hpatcux8.keytab

# kinit -k -t  /tmp/hpatcux8.keytab   host/hpatcux8.acme.com
kinit(v5): Preauthentication failed while getting initial credentials

BUT if I use the password, "+DjlDvd7iUhnqKOLs" in this case, kinit works
fine:

# kinit host/hpatcux8.acme.com
Password for host/hpatcux8.acme.com at ACME.COM:

# klist
Ticket cache: /tmp/krb5cc_0
Default principal: host/hpatcux8.acme.com at ACME.COM

Valid starting     Expires            Service principal
04/02/04 16:54:22  04/03/04 02:54:25  krbtgt/ACME.COM at ACME.COM
         renew until 04/03/04 16:54:22

This same binary works fine with Windows 2000 Server:

# ./netjoin -D acme.com -v -v -v  -s hpatcwin2k.acme.com hpatcux8.acme.com
Creating host account for hpatcux8.acme.com at acme.com
Searching for "hpatcux8" at "dc=acme,dc=com" ...
...
Setting computer password for: host/hpatcux8.acme.com at ACME.COM ...
password:+ZwZuitfPRQka9JFi
Key length is 8
Host password "+ZwZuitfPRQka9JFi" key  (0x984f134f91294567)
default keytab name - "WRFILE:/tmp/hpatcux8.keytab"
Saving key version 1 in WRFILE:/tmp/hpatcux8.keytab

#
# kinit -k  -t /tmp/hpatcux8.keytab   host/hpatcux8.acme.com
#
# klist
Ticket cache: /tmp/krb5cc_0
Default principal: host/hpatcux8.acme.com at ACME.COM

Valid starting     Expires            Service principal
04/05/04 09:53:16  04/05/04 19:53:16  krbtgt/ACME.COM at ATC.ACME.COM


Any ideas??  I've linked it with MIT kerberos 1.3.2 as well as an old
MIT 1.1(?) version

Thanks...

More information about the Kerberos mailing list