GSSAPI on Linux using Windows AD Servers as KDCs - Errors about Keytab Entries

Jason D. McCormick jason at devrandom.org
Sun Jan 6 23:01:05 EST 2008


Richard E. Silverman wrote:

> A couple of questions:
> 
> 1) What are the tkt and skey types on the tickets the client gets?  The
>    etype of the service credentials?

klist -e reports:

Etype (skey, tkt): DES cbc mode with RSA-MD5, ArcFour with HMAC/md5

for the TGT.  The keytab lists the key tytpe as "DES cbc mode with CRC-32".

> 2) I assume you generated the service keytabs from AD using ktpass.exe?
>    If so, exactly what command did you use?

Yes, I did.  I don't have the exact command handy because getting this
working has been an iterative process.  I definitely set the key type to
be des-cbc-crc with ktpass.  It would have been something like:

ktpass -princ nfs/nfs1.loc1.example.com at AD.EXAMPLE.COM -mapuser
AD\nfs-nfs1 +rndPass -crypto DES-CBC-CRC -out nfs1.keytab

I've also tried it with and without -ptype KRB5_NT_SRV_HST.

- Jason



More information about the Kerberos mailing list