Problem with auth via keytab w/ w2k3 KDC, works fine with w2k DC

Sam Hartman hartmans at MIT.EDU
Thu Apr 8 13:03:47 EDT 2004


>>>>> "Neulinger," == Neulinger, Nathan <nneul at umr.edu> writes:

    >> > ktutil, create keytab with that password, des-cbc-crc, kvno 1
    >> > ktutil, create keytab with that password, des-cbc-crc, kvno 3
    >> 
    >> This might be the problem. Can you create the the keytab with
    >> des-cbc-md5, as the W2003 may be only accepting des-cbc-md5 as
    >> the e-type, and when used with kinit, kinit may be trying to
    >> what it found in the keytab, des-cbc-crc, and w2003 will only
    >> accept des-cbc-md5.

    Neulinger,> No go... Still get preauthentication failed. Also
    Neulinger,> tried changing the enctypes options in krb5.conf to
    Neulinger,> only list md5 instead of crc and md5, also no
    Neulinger,> change. Password based auth still works fine.

Do you get anything interesting in the KDC log's event viewer for this?

ALso, if you can figure out what salt the Windows KDC is sending you,
that would be interesting.  Unfortunately I cannot think of a good way
to do that.  I don't think either ethereal or netmon will parse the
right part of the packet.  You could probably set a breakpoint on
krb5_c_string_to_key and try password auth.



More information about the Kerberos mailing list