Issues with keytab creation related to switch to w2k3 w/ ktutil

Neulinger, Nathan nneul at umr.edu
Wed Apr 7 11:51:19 EDT 2004 

Sam, give me a little credit please. I'm well aware of the kvno issue.
If it were just a simple rtfm answer like that, I wouldn't have asked
the question here in the first place. 

The princ is being re-created each time, and we know the kvno, and have
verified that with adsiedit. The keytab has the appropriate key with
that kvno in it. 

If it were a simple kvno mismatch, this would be easy to resolve - I
should know, we already had to deal with that for authentications
against win2k3 boxes for our afs service principals and krb524 - which
was resolved without any significant issues.

-- Nathan


>>>>> "Nathan" == Nathan Neulinger <nneul at umr.edu> writes:


    Nathan> Switch to pointing at a W2K3 domain controller - only
    Nathan> change is host used for ldap. New result - keytab
    Nathan> nonfunctional, get decrypt integ check failed, or pre-auth
    Nathan> failed if I try to auth with the keytab.

Windows 2003 supports a concept of kvno.  You should use the kvno
executable from MIT Kerberos to determine the kvno of the service
principal before constructing the keytab.


BTW, this question is really off-topic for this list and belonged on
kerberos at mit.edu.

--Sam





------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216
 

> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] 
> On Behalf Of Nathan Neulinger
> Sent: Wednesday, April 07, 2004 8:19 AM
> To: krbdev at mit.edu
> Subject: Issues with keytab creation related to switch to 
> w2k3 w/ ktutil
> 
> I figured one of y'all might have some idea on this... 
> 
> Current setup: ADS, W2K, create computer account objects with 
> known password via LDAPS, then use ktutil to create a
> keytab with a matching entry (kvno,key,des-cbc-crc,princ). 
> Works great.
> 
> Switch to pointing at a W2K3 domain controller - only change 
> is host used for ldap. New result - keytab nonfunctional, get
> decrypt integ check failed, or pre-auth failed if I try to 
> auth with the keytab.
> 
> In either above case, if I manually kinit to the host princ 
> with the known password it authenticates without any error. 
> 
> I've tried specifying different enc types to ktutil, no 
> change. (Actually, in a few cases it complained about not finding 
> a useful key which I expected.)
> 
> The ktutil I am using is from -current, with a small 
> modification to allow passing password or key inline as part
> of the add_ent cmd to ktutil instead of them having to be 
> read from stdin - so it can be scripted without resorting to 
> expect/etc.
> 
> MS premiere support has so-far not been particularly helpful, 
> but we haven't escalated to our TAM yet.
> 
> Any suggestions?
> 
> -- Nathan
> 
> ------------------------------------------------------------
> Nathan Neulinger                       EMail:  nneul at umr.edu
> University of Missouri - Rolla         Phone: (573) 341-6679
> UMR Information Technology             Fax: (573) 341-4216
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
>

More information about the krbdev mailing list