kinit request on keytab fails using 2K3sp1 KDC

Douglas E. Engert deengert at anl.gov
Thu Mar 23 15:20:53 EST 2006 


david telfer wrote:

> On 3/23/06, Douglas E. Engert <deengert at anl.gov> wrote:
> 
>>They could look at the userAccountControl field of the account which shows
>>an an integer. Convert it to hex and look for the DesOnly bit0x200000
>>See http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
>>
>>You as a user might be able to see this as well using ldap or one of the
>>Windows tools.
>>
> 
> 
> I have ldap access to the DC and have checked this,  the
> userAccountControl field has a decimal value of 2163200 (0x210200). 
> The USE_DES_KEY_ONLY bit is definitely set which causes me quite a bit
> of confusion!
> 
> To make sure I wasn't making any silly mistakes I cleared all krb
> caches for all users on my Solaris box and started again.  I ran kinit
> on HTTP/then checked the encryption type
> with klist -e.  It is still RC4.
> 
> One thing that has caught my attention is the changing kvno numbers. 
> They match between the keytab and the Service principal which is as
> required, however I have deleted the user account then recreated it.
> 
> The kvno values are still going up sequentially indicating that the
> kdc is aware of the previous service principals.  



You can do ldapsearchs for dnshostanme=connect.smg.plc.uk
whihc should show all records asociated with this dnsname.
(I know msktutil will set this, not sure if ktpass will.)

and search for combinations of servicePrincipalName= or userPrincipalName=
HTTP/connect.smg.plc.uk or HTTP/connect.smg.plc.uk at SMG.PLC.UK


> Is it possible that
> the enctype of the initial principal is being maintained even though
> the system account has been deleted?   

It could be the service principal in on a different account then you
thought!

I believe once ktpass did the mapuser the first time, it will continue
to use this same account, but give you the warning message.
The admin might have to use the setspn -D to get rid of the spn mapping,
or the account.

And there are replication timing issues between DCs. This may take a few
minutes for any change or delete to propagate.


> Is there any way to delete the
> service principal when deleting the system account 

I have always seen the SPN deleted when the account was deleted.

(possibly with
> setspn -D, although I can't seem to find the principal using this
> utility)?

With setspn -L computername
the computername is the cn of the account which would be the account
name. i.e. the same name used in the ktpass -mapuser xxxx

Try the setspn -L xxxx

> 
> p.s. sorry for the change in email address, I am unable to access my
> office e-mail from home at present.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list