Creating a keytab with ktpass under a Computer account

Markus Moeller huaraz at moeller.plus.com
Thu May 25 14:30:22 EDT 2006 

You can check with adsiedit.msc if the entry exists by selecting the Domain 
tree, right click and select New -> Query. Give the query a name, select a 
root, select subtree and type a query like 
serviceprincipalname=host/testsrv.corp.dc* . This should show you one and 
only one entry corresponding to your computer account. If this is OK check 
your Kerberos configuration on the Unix machine. DO you have a realm domain 
mapping or do you use DNS records ?

BTW Did you use the same ktpass version ?
Regards
Markus


<shamgar331 at gmail.com> wrote in message 
news:1148505472.389354.288930 at j33g2000cwa.googlegroups.com...
>
> Markus Moeller wrote:
>> As I have seen in the past people asking about how to create a keytab 
>> with a
>> Computer account I put some details together:
>>
>> 4) Secondly I run ktpass /out testPrincipal.keytab /mapuser
>> testPRINCIPAL$@WINDOWS2003.HOME /princ TESTSPN/FQDN at WINDOWS2003.HOME 
>> /crypto
>> RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL
>
>> 4) I tested the keytab with kfw 3.0
>>    c:\Program Files\MIT\Kerberos\bin\kinit.exe -kt testPrincipal.keytab
>> TESTSPN/FQDN at WINDOWS2003.HOME
>>    c:\Program Files\MIT\Kerberos\bin\klist.exe -e
>
>
> First thank you for this post.  It was a big help in getting me as far
> as I am.  However, for some reason I am unable to get this final step
> to work.  I created it with a computer account as you indicated, and
> was able to successfully create ktpass files.  I then copy them over to
> the appropriate server and I can klist the keytab:
>
> # klist -Kek
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>   7 host/testsrv.corp.dc at CORP.DC (ArcFour with HMAC/md5)
> (0x68df3e78ac80ad80417213d837e2f17b)
>
> I then try the kinit command you used:
>
> # kinit -kt /etc/krb5.conf host/testsrv.corp.dc at CORP.DC
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> The local box hostname matches this output, as does the reverse lookup.
> /etc/hosts has:
> 127.0.0.1    localhost.localdomain localhost
> 10.0.0.30    testsrv.corp.dc  testsrv
>
> In addition I have tried using ssh, with GSSAPI configured:
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password
> debug1: Next authentication method: gssapi-with-mic
> debug1: Delegating credentials
> debug1: Miscellaneous failure
> Server not found in Kerberos database
>
> debug1: Trying to start again
>
> [on the server]
> Postponed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port
> 57857 ssh2
> debug1: userauth-request for user testuser service ssh-connection
> method gssapi-with-mic
> debug1: attempt 2 failures 1
> Failed gssapi-with-mic for testuser from ::ffff:10.0.0.100 port 57857
> ssh2
>
> I have tried using both KRB5_NT_PRINCIPAL and KRB5_NT_SRV_HST, to no
> avail.  I also tried switching to using user accounts instead of
> computer accounts, but that doesn't work either.
>
> The server I'm working with can talk to the KDC.  I have successfully
> obtained a TGT locally via kinit for my user account.  If anyone has
> some suggestions, I would greatly appreciate it.
>

More information about the Kerberos mailing list