Generating KRB5 keytab Ticket

Douglas E. Engert deengert at anl.gov
Mon Feb 23 17:58:05 EST 2004 


"Talwar, Puneet (NIH/NIAID)" wrote:
> 
> 
> HI,
> 
> I am having some issues creating krb5.keytab ticket on Windows 2000 server.
> I have followed the direction on how to create krb5.keytab file from the
> following URL below.
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;324144
> <http://support.microsoft.com/default.aspx?scid=kb;en-us;324144>
> 
> 
> Here is the command syntax I am using to create the keytab file and the
> error messages that I am getting.
> 
> C:\>Ktpass -princ host/xxx.domain.gov at xxx.domain
> <mailto:host/xxx.domain.gov at xxx.domain> .gov -mapuser macunis -pass password
> -out macunis.keytab

Something did not print correctly above, as it has a <mailto:...>
stuck in the middle. What was the real command?


The mapuser here may be misleading. You need to create an account
for the machine, line hostXXX  where XXX is the unqalified host name
and use hostXXX as the mapuser. The associates the principal name with
the account.   

I assume that there is a user macunis, and this is not the host.   


> Failed to set property "servicePrincipalName" to "host/xxxxdomain.gov" on Dn

The above does not look correct either. If you are going to obfuscate
the names please be consistent. Double check that you have not left out 
a "." above. I also see the use of xx twice, as well as xxx and xxxx some 
of these should match. Based on your e-mail address, one of these is 
most likely nih. 
 
 


> "CN=Mac Unis,CN=Users,DC=xx,DC=xx,DC=gov".
> WARNING: Unable to set SPN mapping data.
>   If macunis already has an SPN mapping installed for  host/xxx.domain.gov,
> this is no cause for concern.
> Failed to retrieve user info for macunis.
> Aborted.
> 
> If someone is help me out here as to why I am getting these error messages I
> would appreciate it.
> 
> Thanks,
> 
> Puneet
> 
> 
> ----------------------------------------------------------
> Puneet Talwar
> Unix Administrator
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list