Problems with windows 2003 KDC and MIT kerberos
Douglas E. Engert
deengert at anl.gov
Thu Jul 29 16:53:18 EDT 2004
kdkirmse wrote:
>
> I have been having problems with getting a keytab file on a windows
> 2000 client running the MIT Kerberos utilities to interface properly
> with a windows 2003 KDC. I had the same client working correctly when
> the KDC was a windows 2000 server.
>
> The command "kinit rdop at INFRASTOR.US" works correctly but when I
> attempt to use "kinit -k" I get the following error message
>
Should this be:
kinit -k -t "<some file name>" rdop at INFRASTOR.US
A keytab can have many entries, and you should specify the
principal you want to use.
Normally the default keytab would be used for the machine, not for
a user, user's dont normalloy have a keytab. If you as a user
insist on having a keytab, each user should have thier own.
> kinit(v5): Cannot find KDC for requested realm while getting initial
> credentials
>
> My krb5.ini file is as follows
>
> [libdefaults]
> ticket_lifetime = 600
> default_realm = INFRASTOR.US
> default_keytab_name = C:/WINNT/krb5.keytab
> default_etypes = des-cbc-crc
> default_etypes_des = des-cbc-crc
Windows 2003 will use des-cbc-md5 rather then des-cbc-crc and it
will uses key version numbers (kvno) correctly too.
You may want to remove update these:
default_tkt_enctypes = des-cbc-crc,des-cbc-md5
default_tgs_enctypes = des-cbc-crc,des-cbc-md5
or remove these as the MIT 1.3.x releases support all the Windows enctypes.
>
> [realms]
> INFRASTOR.US = {
> kdc = 192.168.0.3
> admin_server = 192.168.0.3
> }
>
> [domain_realm]
> .infrastor.us = INFRASTOR.US
> infrastor.us = INFRASTOR.US
>
> "klist -k -t -K" gives the following results.
>
> Keytab name: FILE:C:/WINNT/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- ----------------------------------------
> 3 07/28/04 17:52:06 rdop at INFRASTOR.US (0x158cefb5d56d5eab)
>
Change your paswword and update your keyfile, as you have just given
away the secret key!
> This problem is frustrating because I had the system working correctly
> prior to upgrading the KDC to a windows 2003 machine. I need some
> suggestions on where to look next.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list