Issues with keytab creation related to switch to w2k3 w/ ktutil

Nathan Neulinger nneul at
Wed Apr 7 09:19:29 EDT 2004

I figured one of y'all might have some idea on this... 

Current setup: ADS, W2K, create computer account objects with known password via LDAPS, then use ktutil to create a
keytab with a matching entry (kvno,key,des-cbc-crc,princ). Works great.

Switch to pointing at a W2K3 domain controller - only change is host used for ldap. New result - keytab nonfunctional, get
decrypt integ check failed, or pre-auth failed if I try to auth with the keytab.

In either above case, if I manually kinit to the host princ with the known password it authenticates without any error. 

I've tried specifying different enc types to ktutil, no change. (Actually, in a few cases it complained about not finding 
a useful key which I expected.)

The ktutil I am using is from -current, with a small modification to allow passing password or key inline as part
of the add_ent cmd to ktutil instead of them having to be read from stdin - so it can be scripted without resorting to expect/etc.

MS premiere support has so-far not been particularly helpful, but we haven't escalated to our TAM yet.

Any suggestions?

-- Nathan

Nathan Neulinger                       EMail:  nneul at
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216

More information about the krbdev mailing list