Call for help: hostkey tab generated by ktpass doesn't work well on unit host.
shuaijie wang
wangshuaijie at gmail.com
Fri Feb 1 04:07:36 EST 2013
Hi all,
I have this requirements:
1. I have several legacy server applications that build on top of MIT krb5
libs, and they require a keytab installed on each host.
2. I need to migrate KDC server from MIT KDC server to AD.
So in order for them to work smoothly, first I use ktpass to generate a
keytab file on Domain Controller, then I copy this key table to the UNIX
host, but when I test it with my legacy servers, I got error message saying
that "key table entry not found", I debugged a little, and I doubt that
the key encryption type used in keytab file didn't agree with the server
ticket, please see below:
The TGT cache is as follows:
sjwang at wsj_vm0-168: klist -e
Ticket cache: FILE:/tmp/krb5cc_34252
Default principal: administrator at WSJ.ENG.PLATFORMLAB.IBM.COM
Valid starting Expires Service principal
02/01/13 03:39:33 02/01/13 04:09:33 krbtgt/
WSJ.ENG.PLATFORMLAB.IBM.COM at WSJ.ENG.PLATFORMLAB.IBM.COM
renew until 02/08/13 03:39:33, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
02/01/13 03:43:37 02/01/13 04:09:33
administrator at WSJ.ENG.PLATFORMLAB.IBM.COM <====this is the server ticket,
its Etype is hmac
renew until 02/08/13 03:39:33, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
The keytab on server host is:
sjwang at wsj_vm0-170: sudo klist -ke
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 administrator at WSJ.ENG.PLATFORMLAB.IBM.COM (des-cbc-crc)
<=====Server key, Etype is des-cbc-crc
So I doubt that it is because the Etype in keytab is not compatible with
the Etype of server ticket that this key can not be used in authentication.
But since ktpass only supports des-cbc-crc and des-cbc-md5, so how can I
generate a keytab that use hmac or other encryption types on windows
machines?
Thanks.
More information about the Kerberos
mailing list