Client keytab ignored
Michael-O
1983-01-06 at gmx.net
Wed Mar 26 18:50:52 EDT 2014
> On Wed, 2014-03-26 at 17:34 +0100, Michael-O wrote:
>> Hi,
>>
>> I am trying to obtain a service ticket with a client keytab for my account.
>> Unfortunately it fails. I wanted to narrow this down and tried to peform the
>> very same operation with
>> $ kinit -k -t my.keytab
>> and it says kinit: Keytab contains no suitable keys for host/fqdn at REALM while
>> getting initial credentials.
>>
>> The question is, why does it completely ignore my keytab and tries the
>> default one in /etc?
>
>
> It isn't, is it? Does your keytab have the host key? It is not only you
> who must authenticate, but also the machine upon which you are working.
Hi Steve,
you're right, it does *not* use the default keytab but it uses the
default machine principal. The extra keytab I am using is a functional
account in our Active Directory, it is not a machine account, nor a
human one.
The machine has already joined the domain, why does it need to
reauthenticate?
Thanks,
Michael
More information about the Kerberos
mailing list