Write a keytab?

Russ Allbery rra at stanford.edu
Mon Apr 10 23:40:51 EDT 2006


"Booker C Bense" <bbense at stanford.edu> writes:
> On Apr 10, 2006, at 3:38 PM, Booker C. Bense wrote:

>> I'm pulling my hair out over this. Is there any kerberos utility
>> that will write a valid k5 keytab given either a password or
>> a key, enctype and principal?

>> Neither heimdal's ktutil add or MIT's ktutil addent seem to
>> write valid keytab files. If you use the list option you
>> seem to get valid results, but attempting to use the keytab
>> to either kinit or use Hiemdal's ktutil change options results
>> in errors that look like parsing ones.

>> Ktutil and kinit from Heimdal claim they can't find the host
>> entry in the keytab and MIT's kinit claims that it can't contact
>> the KDC listed for the principal.

>> Alternatively, is there a documented format for the keytab file
>> anywere? Other than the source code in kt_file.c ?

> For the curious and the archives, I solved the problem by using
> a different enctype. I'm not sure why this fixed the problem, but
> it did.

This is a pure shot in the dark, but I've discovered that Heimdal can
apparently read keytabs with des-cbc-crc keys in them but cannot actually
use them for any operation that involves iterating through the keytab (as
opposed to matching an existing known key with something in the keytab,
which is what's done for verification of remote authenticators) unless you
explicitly list des-cbc-crc in default_etypes.

I don't have any good explanation for this behavior, and I'm not sure what
versions of Heimdal it applies to, but I ran into it with a 0.7 release.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list