Password incorrect while getting initial credentials using keytab on Solaris with AD

PS pseely at gmail.com
Tue Mar 25 14:51:02 EDT 2008 

On Mar 25, 12:33 pm, "Douglas E. Engert" <deeng... at anl.gov> wrote:
> PS wrote:
> > On Mar 25, 12:00 pm, "Douglas E. Engert" <deeng... at anl.gov> wrote:
> >> Your problem might be a bad version of ktpass.
> >> Seehttp://support.microsoft.com/kb/919557
>
> > That could be the case.
>
> > But what about the fact mentioned that I created a keytab using ktutil
> > addent as shown on the Solaris box, supplying the password, and I
> > still get the same result?
>
> The  key is a function of the password and the salt. With DES the
> password is concatenated with the salt which is usually the concatenation
> of the realm and components of the principal name.
>
> Since an AD account has only one password, but can have a UPN and SPNs,
> the salt is based on the samAccountName.
>
> So when you used the ktutil, it assumed a salt based on the principal.
>
> > But when I kinit with this same password I > get the ticket?
>
> Part of the pre-auth protocol is for the KDC to send the salt
> to the kinit client. Kinit then combines the password and the KDC's
> salt to generate the key.
>
> If you want to see the KDC's salt, you can use a network trace
> program like wireshark.
>
> If you are going to have a lot of unix services or hosts, you might want to
> google for msktutil. This uses OpenLDAP and Kerberos on Unix to create and
> update keytab files.
>
> > ________________________________________________
> > Kerberos mailing list           Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
>   Douglas E. Engert  <DEEng... at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444

Hi,

I had to download and build Cyrus SASL, and consequently rebuild
OpenLDAP, but I have a working msktutil (it seems).

I tried to use the command as follows, with the result.  Any ideas if
I am doing something wrong here?

 msktutil --verbose --create --hostname fc650dr.fc.fujitsu.com --
server dc.corp.fc.local
 -- get_default_keytab: Obtaining the default keytab name: /etc/
krb5.keytab
 -- get_default_ou: Determining default OU: CN=Computers
 -- init_password: Wiping the computer password structure
 -- finalize_exec: Determining user principal name
 -- finalize_exec: User Principal Name is: host/
fc650dr.fc.fujitsu.com at CORP.FC.LOCAL
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /
tmp/.mskt-9661krb5.conf
 -- get_krb5_context: Creating Kerberos Context
 -- try_machine_keytab: Using the local credential cache: /
tmp/.mskt-9661krb5_ccache
 -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not
found in Kerberos database)
 -- try_machine_keytab: Unable to authenticate using the local keytab
 -- try_ldap_connect: Connecting to LDAP server: dc.corp.fc.local
 -- try_ldap_connect: Connecting to LDAP server: dc.corp.fc.local
SASL/EXTERNAL authentication started
Error: ldap_set_option failed (Unknown authentication method)
Error: ldap_connect failed
 -- krb5_cleanup: Destroying Kerberos Context
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure

More information about the Kerberos mailing list