[EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10
Nebergall, Christopher
cneberg at sandia.gov
Mon Apr 22 17:01:24 EDT 2013
Do you need to have allow_weak_crypto = true set in your krb5.conf?
-Christopher
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Ray Vand
Sent: Monday, April 22, 2013 3:38 PM
To: Benjamin Kaduk
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10
Ben,
The space is added when I cut and paste from terminal. I forgot to fix it in the email.
it prompts for password and it takes it. I even tried wrong password and I got error. Which mean it is communicating with KDC.
Also I am using MIT Kerberos version krb5-1.11.1-signed.tar which I download it from MIT site.
Ray
On Apr 22, 2013, at 1:27 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> [putting the list back in the cc]
>
> On Mon, 22 Apr 2013, Ray Vand wrote:
>
>> Ben,
>>
>> kvno was 9 because I gave a new value in addent command.
>>
>> ktutil: addent -password -p sapldap/ads.company.com at COMPANY.COM -k 9 -e DES-CBC-MD5
>
> Ah, okay. As I said earlier, I don't think this kvno will affect 'kinit -k', but is relevant when used as an acceptor.
>
>> I created a new one with kvno 7 and tried it. Still getting initial credentials error.
>
> Right, I wouldn't expect that to change.
>
> Some ways of generating a keytab will increment the kvno on the KDC, which will cause problems for existing keytabs; it sounds like that is not what is causing this problem.
>
>> ktutil: addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e DES-CBC-MD5
>> Password for sapldap/ads.company.com@ COMPANY.COM:
>> ktutil: list
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>> 1 7 sapldap/ads.company.com@ COMPANY.COM
>> ktutil: wkt /tmp/ray.keytab
>> ktutil: q
>>
>> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab
>>
>> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM
>> kinit(v5): Key table entry not found while getting initial credentials
>
> I assume the space between '@' and "COMPANY.COM" is introduced while transcribing into email? If it is present in the actual command line it may cause problems.
>
> You never did say if you are using the Solaris integrated tools or an external installation of MIT kerberos.
>
> -Ben
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list