Client keytab ignored

Michael-O 1983-01-06 at gmx.net
Thu Mar 27 02:36:03 EDT 2014


Am 2014-03-27 00:35, schrieb steve:
> On Wed, 2014-03-26 at 23:50 +0100, Michael-O wrote:
>>> On Wed, 2014-03-26 at 17:34 +0100, Michael-O wrote:
>>>> Hi,
>>>>
>>>> I am trying to obtain a service ticket with a client keytab for my account.
>>>> Unfortunately it fails. I wanted to narrow this down and tried to peform the
>>>> very same operation with
>>>> $ kinit -k -t my.keytab
>>>> and it says kinit: Keytab contains no suitable keys for host/fqdn at REALM while
>>>> getting initial credentials.
>>>>
>>>> The question is, why does it completely ignore my keytab and tries the
>>>> default one in /etc?
>>>
>>>
>>> It isn't, is it? Does your keytab have the host key? It is not only you
>>> who must authenticate, but also the machine upon which you are working.
>>
>> Hi Steve,
>>
>> you're right, it does *not* use the default keytab but it uses the
>> default machine principal. The extra keytab I am using is a functional
>> account in our Active Directory, it is not a machine account, nor a
>> human one.
>>
>> The machine has already joined the domain, why does it need to
>> reauthenticate?
>>
>> Thanks,
>>
>> Michael
>
> Hi
> Tickets have a lifetime. In our domain it's 10 hours. The host or
> machine$ key is used to authenticate your computer. You normally get
> your own tgt by entering a password or, as I think you may wish to do,
> by having your key in a keytab so eliminating the need for a password.
> So long as both you and your machine are known to AD, you're free to go.
> What does your 'functional account' do? Is there any reason you can't
> have all your keys in one keytab? Preferably the default keytab?

Hi Steve,

The functional account is for M2M communication only, and no I 
cannot/don't want to merge both keytabs because they are distinct 
accounts with different permissions in the domain. Moreover, the default 
keytab is created by Samba with net ads join and so forth, that's why I 
do not want to tamper with.

Michael



More information about the Kerberos mailing list