Issues with keytab creation related to switch to w2k3 w/ ktutil
Nathan Neulinger
nneul at umr.edu
Wed Apr 7 09:19:29 EDT 2004
I figured one of y'all might have some idea on this...
Current setup: ADS, W2K, create computer account objects with known password via LDAPS, then use ktutil to create a
keytab with a matching entry (kvno,key,des-cbc-crc,princ). Works great.
Switch to pointing at a W2K3 domain controller - only change is host used for ldap. New result - keytab nonfunctional, get
decrypt integ check failed, or pre-auth failed if I try to auth with the keytab.
In either above case, if I manually kinit to the host princ with the known password it authenticates without any error.
I've tried specifying different enc types to ktutil, no change. (Actually, in a few cases it complained about not finding
a useful key which I expected.)
The ktutil I am using is from -current, with a small modification to allow passing password or key inline as part
of the add_ent cmd to ktutil instead of them having to be read from stdin - so it can be scripted without resorting to expect/etc.
MS premiere support has so-far not been particularly helpful, but we haven't escalated to our TAM yet.
Any suggestions?
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul at umr.edu
University of Missouri - Rolla Phone: (573) 341-6679
UMR Information Technology Fax: (573) 341-4216
More information about the krbdev
mailing list