GSSAPI on Linux using Windows AD Servers as KDCs - Errors about Keytab Entries
Jason D. McCormick
jason at devrandom.org
Sun Jan 6 23:05:13 EST 2008
Douglas E. Engert wrote:
> Richard Silverman asked how did you add the principals to AD?
> If you used the same AD account for both principals, they will use the
> same password to generate the key, and will use the same kvno.
>
> Thus your first problem might be the kvno is not found, in the keytab.
They keys are both kvno=3 on the AD-side and in the client's keytab.
> Are 55 and 59 the length of the message as seen by strace or an error code?
Oh.... yeah. :)
> I assume you ran the gss-server as root, so it could access/etc/krb5.keytab
Yes. Strace shows the gss-server process being able to open the keytab
file.
> The uses of a single AD account for two principals with the same pasword
> is a difference.
Each Kerberos keytab entry has a 1:1 match with an AD user. Or are you
pointing out I'm supposed to be doing something different?
Thanks.
- Jason
More information about the Kerberos
mailing list