trouble with msktutil and Windows 2008 AD

Rohit Kumar Mehta rohitm at engr.uconn.edu
Tue Mar 8 10:19:03 EST 2011 

 From reading this list, it seems like msktutil is a much better 
solution for managing Linux service principles in an AD than using 
KTPASS.EXE.  However, I seem to be having some difficulties.

I set up a test AD with the domain TAD.ENGR.UCONN.EDU, and I'm trying to 
create some service principles for my test-nfs server.  So on my test 
Linux server (running Ubuntu Lucid), I downloaded msktutil from git (I 
believe version 0.4), compiled, did a kinit 
Administrator at TAD.ENGR.UCONN.EDU, and then tried to run msktutil.  This 
is what I get:

root at test-nfs:~/build/f/msktutil# ./msktutil --precreate --hostname 
test-nfs.tad.engr.uconn.edu -s host -s nfs --server 137.99.15.89 --verbose
  -- init_password: Wiping the computer password structure
  -- get_default_keytab: Obtaining the default keytab name: 
FILE:/etc/krb5.keytab
  -- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-mc2Qvi
  -- reload: Reloading Kerberos Context
  -- get_short_hostname: Determined short hostname: test-nfs
  -- finalize_exec: SAM Account Name is: test-nfs$
  -- try_user_creds: Checking if default ticket cache has tickets...
  -- finalize_exec: Authenticated using method 4

  -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=YES
  -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
  -- ~KRB5Context: Destroying Kerberos Context
root at test-nfs:~/build/f/msktutil#

Looking at wireshark I see a bunch of errors like 
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.  It looks like msktutil is trying to 
connect get authorized for this service 
ldap/test-dc1.tad.engr.uconn.edu.  Given that Microsoft Active Directory 
provides LDAP.  I'm not sure why that is a problem.

Am I doing anything obviously wrong?  If so I appreciate any help.  Thanks!

Rohit

-- 
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031

Office: (860) 486 - 2331
Fax: (860) 486 - 1273

More information about the Kerberos mailing list