[krbdev.mit.edu #2550] Problems with ms2mit.exe and aklog.exe with KFW 2.6.1 and OpenAFS

""Lantzer@MIT.EDU ""Lantzer at MIT.EDU
Sun May 2 18:50:22 EDT 2004 

The ms2mit.exe package included with KFW 2.6.1 loads a TGT into the MIT
credentials cache that has an encryption type of arcfour-hmac, after
logging into a Windows XP system joined to a Windows 2000 native mode
domain. The aklog.exe included with KFW 2.6.1 does not seem to be able
to use a TGT with this encryption type. I noticed in the ms2mit.exe
source code that the code was changed to use the TGT from the Microsoft
credentials cache if the encryption type was a supported type, and that
arcfour-hmac was listed as a supported type. If aklog.exe cannot be used
with an arcfour-hmac encryption type, then perhaps the ms2mit.exe code
should check the krb5.ini file for requested encryption types and
attempt to acquire a TGT with a requested encryption type if one isn't
returned from the Microsoft credentials cache.

I am able to use leash32.exe from KFW 2.6.1 to get AFS tokens, but it
does not work when I try to use ms2mit.exe and aklog.exe from KFW 2.6.1.

The following is an edited log of my attempt to use aklog.exe with
ms2mit.exe from KFW 2.6.1:

C:\>ms2mit

C:\>klist -e
Ticket cache: API:krb5cc
Default principal: userid at REALM

Valid starting     Expires            Service principal
04/29/04 17:58:02  05/29/04 17:58:02  krbtgt/REALM at REALM
        renew until 05/29/04 17:58:02, Etype (skey, tkt): ArcFour with
HMAC/md5,
 ArcFour with HMAC/md5


Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)

C:\>aklog -d
Authenticating to cell CELL.
Getting v5 tickets: afs/CELL at REALM
Kerberos error code returned by get_cred: -1765328184
aklog: Couldn't get umr.edu AFS tickets:

C:\>


>From a web search:

-1765328184: Invalid KDC option combination (library internal error) 


I also have problems when trying to use kinit.exe and aklog.exe from KFW
2.6.1. I did not have this problem with KFW 2.6-beta9.

The following is an edited log of my attempt to use aklog.exe with
kinit.exe from KFW 2.6.1:

C:\>kinit -5
Password for userid at REALM:

C:\>klist -e
Ticket cache: API:krb5cc
Default principal: userid at REALM

Valid starting     Expires            Service principal
04/29/04 18:21:57  04/30/04 04:21:57  krbtgt/REALM at REALM
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32


Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)

C:\>aklog -d
Authenticating to cell umr.edu.
Getting v5 tickets: afs/CELL at REALM
Set username to userid
Getting tokens.
aklog: unable to obtain tokens for cell CELL (status: 11862786).

C:\>

>From a web search:

KTC_INVAL        11862786 /* an invalid argument was passed in */

Ryan Lantzer

More information about the krb5-bugs mailing list