need help -- kinit (1.9.1) fails to process keytab

Rex, Martin martin.rex at sap.com
Wed Jun 29 23:42:56 EDT 2011 

Creating a keytab for a Microsoft AD account that is comprehensible
to MIT Kerberos (e.g. kinit -k) appears to require heavy wizardry.

I've tried everything I can reasonably think of, but kinit -k
always fails with the non-sensical error message
"kinit: Key table entry not found while getting initial credentials"

strace says that kinit is reading the correct file, and the
keytab definitely contains keys for the specified principal.
(klist -ke sees the content, wether I use ktutil to create
 the keytab or Microsoft's KTPASS.EXE has no visible impact)

So if anything, kinit might tell me that it received something
encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e"
for the specified principal in the specified keytab -- but the error
message it currently prints when providing the full principal
name on the command line just doesn't seem to make sense.


I've created user account "TestService at FOO.CORP" in an W2K8 AD
and "kinit TestService at FOO.CORP" works fine.  Shouldn't kinit
be in the perfect position, after having just successfully obtained
a TGT for that user, to write out a perfect keytab that will
work with "kinit -k" -- or otherwise tell me all necessary details
about what I will have to type into tools like ktutil or what to
supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k"
what kinit without -k just succeeded doing?


In case that anyone happens to know the exact sequence of commands
and their command line parameters that I would have to type in order
to obtain a working keytab for an ActiveDirectory 2008R2 account
that will be usable with MIT Kerberos 1.9.1, I would be glad to know.

If I ever manage to get a working configuration (keytab),
the clients that should ultimately should be able to connect
to the service are WinXP,2003,Vista and Win7, so it should probably
be using an arcfour-hmac enctype, I assume.

(I will NOT need hostbased service names, in case you're wondering,
 and I did already call "SETSPN dont/care FOO.CORP\TestService" to
 allow 1-/2-Token authentications with the TestService account
 for a post-2000 ActiveDirectory).

-Martin


PS: my windows administrative expertise is limited.
    I have setspn.exe, ktpass.exe within reach and know how to
    run the MMC snap-in "Active Directory - Users and Computers",
    but know nothing else about AD and LDAP...

More information about the Kerberos mailing list