[EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10

Ray Vand ray_vand at filemaker.com
Mon Apr 22 19:08:16 EDT 2013 

Christopher,

Something is wrong with your command. May be it is incomplete.

Can you please send me the correct syntax?

Ray

On Apr 22, 2013, at 2:55 PM, Nebergall, Christopher wrote:

> What does this return? 
> 
> kvno -e des-cbc-md5 sapldap/ads.company.com at COMPANY.COM
> 
> -Christopher
> -----Original Message-----
> From: Ray Vand [mailto:ray_vand at filemaker.com] 
> Sent: Monday, April 22, 2013 4:46 PM
> To: Nebergall, Christopher
> Cc: Benjamin Kaduk; kerberos at mit.edu
> Subject: Re: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10
> 
> Christopher,
> 
> Yes, I have. Please see below.
> 
> # cat krb5.conf
> libdefaults]
>       default_realm = COMPANY.COM
> 	default_keytab_name = /etc/krb5/krb5.keytab
> 	default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> 	default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> 	allow_weak_crypto = true
> 
> [realms]
>     COMPANY.COM = {
>               kdc = ads.company.com:88
>               admin_server = ads.company.com
> 		default.domain = COMPANY.COM
>               kpasswd_server = ads.company.com
>       }
> 
> [domain_realm]
> 	.company.com = COMPANY.COM
> 	company.com = COMPANY.COM
> # 
> 
> 
> # kinit -k sapldap/ads.company.com at COMPANY.COM
> kinit(v5): Key table entry not found while getting initial credentials
> # 
> 
> When I use it without -k option, it works and prompts for password and only takes correct password.
> klist shows recent date and expiration time.
> 
> Ray
> 
> 
> On Apr 22, 2013, at 2:01 PM, "Nebergall, Christopher" <cneberg at sandia.gov> wrote:
> 
>> Do you need to have  allow_weak_crypto = true set in your krb5.conf?
>> 
>> -Christopher
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Ray Vand
>> Sent: Monday, April 22, 2013 3:38 PM
>> To: Benjamin Kaduk
>> Cc: kerberos at mit.edu
>> Subject: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10
>> 
>> Ben,
>> 
>> The space is added when I cut and paste from terminal. I forgot to fix it in the email.
>> it prompts for password and it takes it. I even tried wrong password and I got error. Which mean it is communicating with KDC.
>> 
>> Also I am using MIT Kerberos version krb5-1.11.1-signed.tar which I download it from MIT site.
>> 
>> Ray
>> 
>> On Apr 22, 2013, at 1:27 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:
>> 
>>> [putting the list back in the cc]
>>> 
>>> On Mon, 22 Apr 2013, Ray Vand wrote:
>>> 
>>>> Ben,
>>>> 
>>>> kvno was 9 because I gave a new value in addent command.
>>>> 
>>>> ktutil:  addent -password -p sapldap/ads.company.com at COMPANY.COM -k 9 -e DES-CBC-MD5
>>> 
>>> Ah, okay.  As I said earlier, I don't think this kvno will affect 'kinit -k', but is relevant when used as an acceptor.
>>> 
>>>> I created a new one with kvno 7 and tried it. Still getting initial credentials error.
>>> 
>>> Right, I wouldn't expect that to change.
>>> 
>>> Some ways of generating a keytab will increment the kvno on the KDC, which will cause problems for existing keytabs; it sounds like that is not what is causing this problem.
>>> 
>>>> ktutil:  addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e DES-CBC-MD5
>>>> Password for sapldap/ads.company.com@ COMPANY.COM:
>>>> ktutil:  list
>>>> slot KVNO Principal
>>>> ---- ---- ---------------------------------------------------------------------
>>>> 1    7  sapldap/ads.company.com@ COMPANY.COM
>>>> ktutil:  wkt /tmp/ray.keytab
>>>> ktutil:  q
>>>> 
>>>> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab
>>>> 
>>>> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM
>>>> kinit(v5): Key table entry not found while getting initial credentials
>>> 
>>> I assume the space between '@' and "COMPANY.COM" is introduced while transcribing into email?  If it is present in the actual command line it may cause problems.
>>> 
>>> You never did say if you are using the Solaris integrated tools or an external installation of MIT kerberos.
>>> 
>>> -Ben
>> 
>> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> 
> 
>

More information about the Kerberos mailing list