Windows 2003 KDC: Problem mit ktpass

youpski youpski at hotmail.com
Fri Sep 3 05:28:46 EDT 2004 

DsCracknames usually means that either the account cannot be found.
Looking at your syntax you are trying to map a computer account. If
so, you need to add a dollar sign "$" for Windows. Here is an example
of a syntax that works:

KTPASS -princ host/unixhost1.w2k3.domain.int at W2K3.DOMAIN.INT -mapuser
UNIXHOST1$ -pass Password1234 +Answer -out unixhost1-host.tab -crypto
DES-CBC-MD5 -kvno 4 /Target dc01.w2k3.domain.int

also look at the kvno. This is different in w2k3 as opposed to w2k. In
w2k the kvno was always 1. In w2k3 the key version number can be
different. Everytime you reset the password on the account in AD, the
kvno is raised by 1. So before you run KTPASS read out the current
kvno (using adsi or ldap). The atribute is "msDS-KeyVersionNumber".
Also, use MD5 instead of CRC. W2K3 default does not support CRC.

succes
Y



FrankSTaylor at gmail.com (Frank Taylor) wrote in message news:<a6732995.0409020736.10dcf8bc at posting.google.com>...
> Jeremy mentioned the solution above: you need to specify the user's
> domain in the mapUser argument.
> 
> The following is an entry from our knowledge base on this problem:
> 
> ------------------------------------------------------------------
> 
> Symptom
> 
> When using ktpass.exe on a Windows Server 2003 domain controller to
> map a service principal, such as ktpass.exe -princ
> wts/server.domain.int at DOMAIN.INT -mapuser wts.server, ktpass.exe
> returns the error message:
> 
> DSCrackNames returned 0x2 in the name entry for wts.server
> 
> Explanation
> 
> 0x2 is the Windows NT hex code for 'not found'. ktpass has been unable
> to locate the user you specified.
> 
> Causes
> 
> ktpass needs more info
> 
> You need to specify the user more fully, by prefacing the user name
> with the domain name:
> 
>     ktpass.exe -princ wts/server.domain.int at DOMAIN.INT -mapuser
> DOMAIN\wts.server
> 
> where DOMAIN is the NetBIOS version of the AD domain.
> 
> ------------------------------------------------------------------
> 
> Thanks,
> 
> Frank.

More information about the Kerberos mailing list