Password incorrect while getting initial credentials using keytab on Solaris with AD

Douglas E. Engert deengert at anl.gov
Tue Mar 25 11:33:04 EDT 2008



PS wrote:
> On Mar 25, 12:00 pm, "Douglas E. Engert" <deeng... at anl.gov> wrote:
>> Your problem might be a bad version of ktpass.
>> Seehttp://support.microsoft.com/kb/919557
> 
> That could be the case.
> 
> But what about the fact mentioned that I created a keytab using ktutil
> addent as shown on the Solaris box, supplying the password, and I
> still get the same result? 

The  key is a function of the password and the salt. With DES the
password is concatenated with the salt which is usually the concatenation
of the realm and components of the principal name.

Since an AD account has only one password, but can have a UPN and SPNs,
the salt is based on the samAccountName.

So when you used the ktutil, it assumed a salt based on the principal.

> But when I kinit with this same password I > get the ticket?

Part of the pre-auth protocol is for the KDC to send the salt
to the kinit client. Kinit then combines the password and the KDC's
salt to generate the key.

If you want to see the KDC's salt, you can use a network trace
program like wireshark.

If you are going to have a lot of unix services or hosts, you might want to
google for msktutil. This uses OpenLDAP and Kerberos on Unix to create and
update keytab files.


> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list