Problems with windows 2003 KDC and MIT kerberos

Douglas E. Engert deengert at anl.gov
Thu Jul 29 16:53:18 EDT 2004 

kdkirmse wrote:
> 
> I have been having problems with getting a keytab file on a windows
> 2000 client running the MIT Kerberos utilities to interface properly
> with a windows 2003 KDC. I had the same client working correctly when
> the KDC was a windows 2000 server.
> 
> The command "kinit rdop at INFRASTOR.US" works correctly but when I
> attempt to use  "kinit -k" I get the following error message
> 

Should this be:
 kinit -k -t "<some file name>" rdop at INFRASTOR.US

A keytab can have many entries, and you should specify the
principal you want to use. 

Normally the default keytab would be used for the machine, not for 
a user, user's dont  normalloy have a keytab. If you as a user 
insist on having a keytab, each user should have thier own.  

> kinit(v5): Cannot find KDC for requested realm while getting initial
> credentials
> 
> My krb5.ini file is as follows
> 
> [libdefaults]
>  ticket_lifetime = 600
>  default_realm = INFRASTOR.US
>  default_keytab_name = C:/WINNT/krb5.keytab
>  default_etypes = des-cbc-crc
>  default_etypes_des = des-cbc-crc

Windows 2003 will use des-cbc-md5 rather then des-cbc-crc and it
will uses key version numbers (kvno) correctly too.

You may want to remove update these: 
  default_tkt_enctypes = des-cbc-crc,des-cbc-md5
  default_tgs_enctypes = des-cbc-crc,des-cbc-md5
or remove these as the MIT 1.3.x releases support all the Windows enctypes.


> 
> [realms]
>  INFRASTOR.US = {
>   kdc = 192.168.0.3
>   admin_server = 192.168.0.3
>  }
> 
> [domain_realm]
>  .infrastor.us = INFRASTOR.US
>   infrastor.us = INFRASTOR.US
> 
> "klist -k -t -K" gives the following results.
> 
> Keytab name: FILE:C:/WINNT/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- ----------------------------------------
>    3 07/28/04 17:52:06 rdop at INFRASTOR.US (0x158cefb5d56d5eab)
> 

Change your paswword and update your keyfile, as you have just given
away the secret key!

> This problem is frustrating because I had the system working correctly
> prior to upgrading the KDC to a windows 2003 machine. I need some
> suggestions on where to look next.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list