kinit request on keytab fails using 2K3sp1 KDC
David Telfer
david at 2fluid.co.uk
Wed Mar 22 12:08:47 EST 2006
Hello,
I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to
configuring mod_auth_kerb. I have used the following command to
generate a keytab on the KDC;
ktpass -mapuser intsvcuser at smg.plc.uk -princ
HTTP/connect.smg.plc.uk at SMG.PLC.UK +DesOnly -pass userspassword -ptype
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"
The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have
transfered the keytab to /etc/krb5.keytab. When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab
HTTP/connect.smg.plc.uk at SMG.PLC.UK
I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials
I am able to obtain a ticket directly from the kdc using #./kinit
DavidTelfer at SMG.PLC.UK which would indicate that the problem wasn't a
clock slew error (I haven't seen an error of this nature appear with
this version of krb so I'm not sure whether it would explicitly state this).
From reading a few mailing list posts I have discovered some people
having issues with ktpass on service pack 1. One such post;
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72
details a similar problem I have followed the advice given, ensuring
that the kvno's match and changing the system users password prior to
generating the keytab but to no avail.
My /etc/krb5.conf file is as follows (I've removed every non-essential
entry to ensure that it isn't the issue);
[libdefaults]
default_realm = SMG.PLC.UK
[domain_realm]
connect.smg.plc.uk = SMG.PLC.UK
[realms]
SMG.PLC.UK = {
kdc = pqdomc01.smg.plc.uk
admin_server = pqdomc01.smg.plc.uk
default_domain = smg.plc.uk
}
Has anyone experienced a similar problem to this? I have to assume
there is a problem with the keytab but I'm at a loss as to what the
problem could be.
David Telfer
david at 2fluid.co.uk
More information about the Kerberos
mailing list