kinit request on keytab fails using 2K3sp1 KDC

Tim Alsop Tim.Alsop at CyberSafe.Com
Wed Mar 22 12:19:58 EST 2006 

David,

The easiest solution to this problem is to use the ktpass which was
shipped with Windows 2003, and not the one with SP1.

Alternatively, you can use one of the many tools available that replace
the need for ktpass, and use computer accounts for key storage. These
tools do not suffer from the same issues as ktpass.

It seems that the sp1 version of ktpass stores a key with a specific
kvno in the keytab file, and the kvno in the domain controller for the
same principal is different. This is why you cannot use the keytab file
to authenticate.

Thanks, Tim 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of David Telfer
Sent: 22 March 2006 17:09
To: kerberos at mit.edu
Subject: kinit request on keytab fails using 2K3sp1 KDC

Hello,

I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to

configuring mod_auth_kerb.  I have used the following command to 
generate a keytab on the KDC;
ktpass -mapuser intsvcuser at smg.plc.uk -princ 
HTTP/connect.smg.plc.uk at SMG.PLC.UK +DesOnly -pass userspassword -ptype 
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3.  I have 
transfered the keytab to /etc/krb5.keytab.  When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab 
HTTP/connect.smg.plc.uk at SMG.PLC.UK

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit 
DavidTelfer at SMG.PLC.UK which would indicate that the problem wasn't a 
clock slew error (I haven't seen an error of this nature appear with 
this version of krb so I'm not sure whether it would explicitly state
this).

 From reading a few mailing list posts I have discovered some people 
having issues with ktpass on service pack 1.  One such post;
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thr
ead/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72
details a similar problem  I have followed the advice given, ensuring 
that the kvno's match and changing the system users password prior to 
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential 
entry to ensure that it isn't the issue);

[libdefaults]
        default_realm = SMG.PLC.UK
[domain_realm]
        connect.smg.plc.uk = SMG.PLC.UK
[realms]
        SMG.PLC.UK = {
                kdc = pqdomc01.smg.plc.uk
                admin_server = pqdomc01.smg.plc.uk
                default_domain = smg.plc.uk
        }

Has anyone experienced a similar problem to this?  I have to assume 
there is a problem with the keytab but I'm at a loss as to what the 
problem could be.

David Telfer
david at 2fluid.co.uk




________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list