More Kerberos Issues

Douglas E. Engert deengert at anl.gov
Fri Jan 7 16:03:07 EST 2005 


Markus Moeller wrote:

> Tyson,
> 
> you might need to add -desonly to your ktpass line.
> 
> Regards
> Markus
> 
> 
> "Tyson Oswald" <oswaldt at ameritech.net> wrote in message 
> news:20050107180150.27233.qmail at web81502.mail.yahoo.com...
> 
>>I created a keytab with ktpass on Win 2003 for my SEAM client. I importd it 
>>into the /etc/krb5/krb5.conf 

That the wrong file. the krb5.conf is the configure file. The keyfile
would be /etc/krb5/krb5.keytab I believe. Beter check the Sun docs.


and when I try and authentication through SSH
>>I get the following error in my messages
>>
>>PAM-KRB5 (auth): end: Authentication failed
>>PAM-KRB5 (auth): pam_sm_authenticate flags=1
>>PAM-KRB5 (auth): attempt_krb5_auth: start: user='cbrown'
>>PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: 
>>SUCCESS
>>PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
>>PAM-KRB5 (auth): clearing initcreds in pam_authenticate()
>>PAM-KRB5 (auth): attempt_krb5_auth returning 9
>>
>>my ktpass line looks similar to this
>>
>>ktpass -princ host/snoopy at peanuts.com@PEANUTS.COM -mapuser AD\SNOOPY -pass 

The principal looks wrong. It should be host/snoopy.peanuts.com at PEANUTS.COM
its  host/<FQDN>@<REALM>  I assume thithe the FQDN of the host is snoopy.peanuts.com

Not sure if the AD\SNOOPY is correct  there must be an account for this in
in the peanuts.com AD domain.

And as Marcus says add -desonly until SEAM can support RC4.

>>"password" -crypto des-cbc-MD5 -out snoopy.keytab
>>
>>Does anyone know what I am doing wrong?
>>
>>thanks,
>>Tyson
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list