[EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10

Nebergall, Christopher cneberg at sandia.gov
Mon Apr 22 17:01:24 EDT 2013


Do you need to have  allow_weak_crypto = true set in your krb5.conf?

-Christopher
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Ray Vand
Sent: Monday, April 22, 2013 3:38 PM
To: Benjamin Kaduk
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10

Ben,

The space is added when I cut and paste from terminal. I forgot to fix it in the email.
it prompts for password and it takes it. I even tried wrong password and I got error. Which mean it is communicating with KDC.

Also I am using MIT Kerberos version krb5-1.11.1-signed.tar which I download it from MIT site.

Ray

On Apr 22, 2013, at 1:27 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:

> [putting the list back in the cc]
> 
> On Mon, 22 Apr 2013, Ray Vand wrote:
> 
>> Ben,
>> 
>> kvno was 9 because I gave a new value in addent command.
>> 
>> ktutil:  addent -password -p sapldap/ads.company.com at COMPANY.COM -k 9 -e DES-CBC-MD5
> 
> Ah, okay.  As I said earlier, I don't think this kvno will affect 'kinit -k', but is relevant when used as an acceptor.
> 
>> I created a new one with kvno 7 and tried it. Still getting initial credentials error.
> 
> Right, I wouldn't expect that to change.
> 
> Some ways of generating a keytab will increment the kvno on the KDC, which will cause problems for existing keytabs; it sounds like that is not what is causing this problem.
> 
>> ktutil:  addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e DES-CBC-MD5
>> Password for sapldap/ads.company.com@ COMPANY.COM:
>> ktutil:  list
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>>  1    7  sapldap/ads.company.com@ COMPANY.COM
>> ktutil:  wkt /tmp/ray.keytab
>> ktutil:  q
>> 
>> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab
>> 
>> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM
>> kinit(v5): Key table entry not found while getting initial credentials
> 
> I assume the space between '@' and "COMPANY.COM" is introduced while transcribing into email?  If it is present in the actual command line it may cause problems.
> 
> You never did say if you are using the Solaris integrated tools or an external installation of MIT kerberos.
> 
> -Ben


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list