Problem with auth via keytab w/ w2k3 KDC, works fine with w2k DC
Nathan Neulinger
nneul at umr.edu
Wed Apr 7 14:40:02 EDT 2004
(Reposted from krbdev at mit.edu)
I've got a problem with keytabs related to an upgrade from W2K to W2K3 when authenticating
from a unix client w/ mit krb5.
Principal: host/afsimap1.cc.umr.edu at UMR.EDU
Password: (example) fred
A) W2K DC
create princ via ssl-ldap on w2k domain controller, set pw to fred
kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
ktutil, create keytab with that password, des-cbc-crc, kvno 1
ktutil, create keytab with that password, des-cbc-crc, kvno 3
(in our environment, it always winds up with kvno 3 on the w2k3 dc cause we delete princ first)
kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => works fine
B) W2K3 DC
create princ via ssl-ldap on w2k3 domain controller, set pw to fred
kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
ktutil, create keytab with that password, des-cbc-crc, kvno 1 and 3
kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => preauth fails
when attempting to use the keytab - i.e. via telnetd or sshd w/ simon's patches - I get decrypt
integ check failed errors (or ssh protocol error w/ pkt 34)
The _ONLY_ change that I am making between functional and non-functional is which LDAPS server
I point at for creating the princ and setting the password for it.
I have the client-etypes hotfix applied, but not sure it's relevant to this problem since I _am_ able
to authenticate, just not with a keytab.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul at umr.edu
University of Missouri - Rolla Phone: (573) 341-6679
UMR Information Technology Fax: (573) 341-4216
More information about the Kerberos
mailing list