Client keytab ignored

steve steve at steve-ss.com
Wed Mar 26 19:35:10 EDT 2014


On Wed, 2014-03-26 at 23:50 +0100, Michael-O wrote:
> > On Wed, 2014-03-26 at 17:34 +0100, Michael-O wrote:
> >> Hi,
> >>
> >> I am trying to obtain a service ticket with a client keytab for my account.
> >> Unfortunately it fails. I wanted to narrow this down and tried to peform the
> >> very same operation with
> >> $ kinit -k -t my.keytab
> >> and it says kinit: Keytab contains no suitable keys for host/fqdn at REALM while
> >> getting initial credentials.
> >>
> >> The question is, why does it completely ignore my keytab and tries the
> >> default one in /etc?
> >
> >
> > It isn't, is it? Does your keytab have the host key? It is not only you
> > who must authenticate, but also the machine upon which you are working.
> 
> Hi Steve,
> 
> you're right, it does *not* use the default keytab but it uses the 
> default machine principal. The extra keytab I am using is a functional 
> account in our Active Directory, it is not a machine account, nor a 
> human one.
> 
> The machine has already joined the domain, why does it need to 
> reauthenticate?
> 
> Thanks,
> 
> Michael

Hi
Tickets have a lifetime. In our domain it's 10 hours. The host or
machine$ key is used to authenticate your computer. You normally get
your own tgt by entering a password or, as I think you may wish to do,
by having your key in a keytab so eliminating the need for a password.
So long as both you and your machine are known to AD, you're free to go.
What does your 'functional account' do? Is there any reason you can't
have all your keys in one keytab? Preferably the default keytab?
Cheers,
Steve




More information about the Kerberos mailing list