Can't make the keytab work

Stian Selnes stianse at gmail.com
Mon Jun 27 12:42:32 EDT 2005


Hi,

I'm trying to logon using kerberos and telnet between to linux
machinges. The host has address asterisk.tsip.lab. I'm using Microsoft
Live Communication Server 2005 as KDC. The problem is this (I followed
the steps at this site:
http://www.cromwell-intl.com/unix/kerberos.html ):

I let ktpass.exe generate a keytab for me:
ktpass -princ host/xxx.yyy.com at YYY.COM -mapuser xxx.yyy.com -pass zzz
-out temp.keytab

I transfered this keytab over to the host and used ktutil to add the
keytab to the file /etc/krb5.keytab. It seems to me like this process
has worked because when I now use ktutil I get:

# ktutil:  rkt /etc/krb5.keytab
# ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3          host/xxx.yyy.com at YYY.COM (DES cbc mode with RSA-MD5)

And here come's the problem. When I type:

# kinit -5 -k -t /etc/krb5.keytab xxx.yyy.com

to verify that I can get credentials using the keytab, nothing
happens. Well, actually, I can see from Ethereal that I'm sending an
AS-REQ to KDC, and get a KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED in
return. And then nothing happens. Even no error messages.

If i try to get a credential not using the keytab:

# kinit xxx.yyy.com
Password for xxx.yyy.com at YYY.COM:

everything works fine, and i can use kerberos and telnet from the
second computer to log on to xxx.yyy.com. Therefore, it must be
something wrong with the keytab or the way I'm trying verify it?
Anybody got some tips, please?

Here's my krb5.conf file:

[libdefaults]
 default_realm = YYY.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5

[realms]
 YYY.COM = {
  kdc = lcs2005.yyy.com:88
  kpasswd_server = lcs2005.yyy.com:464
 }

[domain_realm]
 .yyy.com = YYY.COM
 yyy.com = YYY.COM



More information about the Kerberos mailing list