generating keytab problem
Douglas E. Engert
deengert at anl.gov
Thu Jun 10 21:00:38 EDT 2004
Akbar Lin wrote:
> I don't know whether this is the right place I should ask for help.
> I have a problem for generating the keytab file from Windows 2003 AD. This
> keytab will be used by Apache web server for the authentification (with
> I've done the same thing with Windows 2000 AD and it works perfectly.
> Is there any differences between Windows 2000 and 2003 AD for generating the
> keytab ?
You did not say how you did this as you could have used the ktpass command
to update AD and generate a keytab, or you could have used ktpass to
update AD, then used kt_util to add an entry to the keytab.
But here are some possibilities:
2003 will use the key version number, kvno, and it may not be 1.
(You can use the MIT kvno command to see what is set in AD.)
2003 may use des-cbc-md5 where as 2000 used des-cbc-crc.
(See the notes from Jeff and myself yesterday and today ... Oh that was on
openafs-info at openafs.org list.)
So if you are converting from 2000 to 2003 ADs you may have to have
multiple entries in the keytab files. with the correct enctypes and kvnos
so the service can respond to a 2000 or 2003 generated ticket.
> Any suggestions on how to solve this problem or where I can find more
> informations will be highly appreciated.
> Many thanks in advance.
> Akbar Lin
> Kerberos mailing list Kerberos at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos