msktutil problem with Windows 2008

Markus Moeller huaraz at moeller.plus.com
Sat Aug 29 07:47:44 EDT 2009 

I was too quick. I get it to work with host/fqdn (e.g. kinit -kt 
/etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn.  I use 
AES-256 CTS mode with 96-bit SHA-1 HMAC.

klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with 
HMAC/md5)
   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode 
with 96-bit SHA-1 HMAC)
   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode 
with 96-bit SHA-1 HMAC)

 klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/centos.dom.local at DOM.LOCAL

Valid starting     Expires            Service principal
08/29/09 21:48:32  08/30/09 07:47:42  krbtgt/DOM.LOCAL at DOM.LOCAL
        renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode 
with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC



 klist -ekt /etc/HTTP.keytab
Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with 
HMAC/md5)
   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode 
with 96-bit SHA-1 HMAC)
   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode 
with 96-bit SHA-1 HMAC)


 kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
kinit(v5): Preauthentication failed while getting initial credentials

Markus


"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop...
> Wolf-Agathon,
>
>   I did export the keytab, but I found out the Hotfix 951191 was not
> installed on the 2008 DC.
>
> Markus
>
> ----- Original Message ----- 
> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon at arcor.de>
> To: <huaraz at moeller.plus.com>; <kerberos at mit.edu>
> Sent: Saturday, August 29, 2009 11:27 AM
> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 2008
>
>
>> Howdy Markus
>>
>> Sound to me that you're trying to use a kaytab without expoting the key 
>> to
>> your keytab file test.keytab
>>
>> am I right ?
>>
>> cheers
>>  Wolf-Agathon
>>
>>
>> ----- Original Nachricht ----
>> Von:     Markus Moeller <huaraz at moeller.plus.com>
>> An:      kerberos at mit.edu
>> Datum:   29.08.2009 00:07
>> Betreff: msktutil problem with Windows 2008
>>
>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>> 2008,
>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need 
>>> to
>>> be
>>>
>>> changed ?
>>>
>>> Thank you
>>> Markus
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list