Creating a keytab with ktpass under a Computer account
shamgar331@gmail.com
shamgar331 at gmail.com
Wed May 24 17:17:52 EDT 2006
Markus Moeller wrote:
> As I have seen in the past people asking about how to create a keytab with a
> Computer account I put some details together:
>
> 4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
> testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN at WINDOWS2003.HOME /crypto
> RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
> 4) I tested the keytab with kfw 3.0
> c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
> TESTSPN/FQDN at WINDOWS2003.HOME
> c:\Program Files\MIT\Kerberos\bin\klist.exe -e
First thank you for this post. It was a big help in getting me as far
as I am. However, for some reason I am unable to get this final step
to work. I created it with a computer account as you indicated, and
was able to successfully create ktpass files. I then copy them over to
the appropriate server and I can klist the keytab:
# klist -Kek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
7 host/testsrv.corp.dc at CORP.DC (ArcFour with HMAC/md5)
(0x68df3e78ac80ad80417213d837e2f17b)
I then try the kinit command you used:
# kinit -kt /etc/krb5.conf host/testsrv.corp.dc at CORP.DC
kinit(v5): Client not found in Kerberos database while getting initial
credentials
The local box hostname matches this output, as does the reverse lookup.
/etc/hosts has:
127.0.0.1 localhost.localdomain localhost
10.0.0.30 testsrv.corp.dc testsrv
In addition I have tried using ssh, with GSSAPI configured:
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Miscellaneous failure
Server not found in Kerberos database
debug1: Trying to start again
[on the server]
Postponed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port
57857 ssh2
debug1: userauth-request for user testuser service ssh-connection
method gssapi-with-mic
debug1: attempt 2 failures 1
Failed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port 57857
ssh2
I have tried using both KRB5_NT_PRINCIPAL and KRB5_NT_SRV_HST, to no
avail. I also tried switching to using user accounts instead of
computer accounts, but that doesn't work either.
The server I'm working with can talk to the KDC. I have successfully
obtained a TGT locally via kinit for my user account. If anyone has
some suggestions, I would greatly appreciate it.
More information about the Kerberos
mailing list