f



kinit request on keytab fails using 2K3sp1 KDC

Hello,

I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to 
configuring mod_auth_kerb.  I have used the following command to 
generate a keytab on the KDC;
ktpass -mapuser intsvcuser@smg.plc.uk -princ 
HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype 
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3.  I have 
transfered the keytab to /etc/krb5.keytab.  When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab 
HTTP/connect.smg.plc.uk@SMG.PLC.UK

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit 
DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a 
clock slew error (I haven't seen an error of this nature appear with 
this version of krb so I'm not sure whether it would explicitly state this).

 From reading a few mailing list posts I have discovered some people 
having issues with ktpass on service pack 1.  One such post;
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72
details a similar problem  I have followed the advice given, ensuring 
that the kvno's match and changing the system users password prior to 
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential 
entry to ensure that it isn't the issue);

[libdefaults]
        default_realm = SMG.PLC.UK
[domain_realm]
        connect.smg.plc.uk = SMG.PLC.UK
[realms]
        SMG.PLC.UK = {
                kdc = pqdomc01.smg.plc.uk
                admin_server = pqdomc01.smg.plc.uk
                default_domain = smg.plc.uk
        }

Has anyone experienced a similar problem to this?  I have to assume 
there is a problem with the keytab but I'm at a loss as to what the 
problem could be.

David Telfer
david@2fluid.co.uk




________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
david
3/22/2006 5:08:47 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
512 Views

Similar Articles

[PageSpeed] 55

Reply:

Similar Artilces:

RE: kinit request on keytab fails using 2K3sp1 KDC
David, The easiest solution to this problem is to use the ktpass which was shipped with Windows 2003, and not the one with SP1. Alternatively, you can use one of the many tools available that replace the need for ktpass, and use computer accounts for key storage. These tools do not suffer from the same issues as ktpass. It seems that the sp1 version of ktpass stores a key with a specific kvno in the keytab file, and the kvno in the domain controller for the same principal is different. This is why you cannot use the keytab file to authenticate. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 22 March 2006 17:09 To: kerberos@mit.edu Subject: kinit request on keytab fails using 2K3sp1 KDC Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly ...

RE: kinit request on keytab fails using 2K3sp1 KDC #2
David, Like yourself we spent many days/weeks trying to get the sp1 version of ktpass to work, but we could not, so we have developed our own replacement product that uses computer accounts instead. Cheers, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 09:47 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Richard E. Silverman wrote: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, and the kvno in the domain > TA> controller for the same principal is different. This is why you > TA> cannot use the keytab file to authenticate. > > Yes; it always sets the kvno in the keytab it writes to 1, regardless of > the value in the KDB (which of course changes each time the key is > extracted). So, you can only use the keytab the first time you extract > it. If you have to do it again, just delete the principal and re-create > it. I am not sure whether this is the issue or not, I may be doing something wrong but I have used the following procedure to determine the kvno of both the keytab and the service principal. To determine the KDC principal kvno; #./kinit HTTP/connect.smg.plc.uk@SMG.PLC.UK --->prompted for system user password #./kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK HTTP/connect.smg.plc.uk@SMG.PLC.UK: kvno = 3 To determine...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they needed to match, more to tidy up the situation I had on the KDC. > For example, what is the enctype of the service ticket issued by the > KDC? Does that match the enctype of the keytab entry you are using? > > What do the following commands output? > > klist -e -k /etc/krb5.keytab > > kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK > klist -e > This appears to be the problem, the keytab is being generated with DES CBD MD5, the service principal is sending an ArcFour encrypted tgt. The reason this never occured to me is that the user account has the 'use DES encryption for this account' setting ticked. I have tried the following process to force the service principal to be DES; 1 - create account 2 - run ktpass util with -mapop set +DesOnly and -crypto DES-CBC-MD5 options set. 3 - view account properites and ensure that 'use DES encryption f...

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim Alsop wrote: >>From the determined kvno information, I am worried that starting again >> will not resolve my issue. Assuming that the kvno is reset to 1, using > >> kvno and klist to determine the version number should return similar >> results to above, but showing the number to be 1. What would the >> difference be and would it resolve the pre-authentication issue? > > We found that even if we start again, we could not get the pre-auth to > work. The most important new functionality in the W2K SP1 version of KTPASS is that it allows you to export RC4-based keys instead of DES. Did you try using RC4 keys or were you only interested in using single DES? Jeffrey Altman ...

can keytab created on Linux KDC be used when using windows KDC ?
Hi all, I am trying interoperablity between linux machines using windows KDC. I have a question regarding the keytab file usage. Assuming that I create keytab file using Linux KDC for a client called "test.kerberos.com" in the realm "KERBEROS.COM" Can I use the same keytab for the linux machine when it uses windows as KDC ? Has anybody tried this ? Is it possible ? If not possible, can you please explain why it is not possible ? Does windows KDC and Linux use different methods to create keytab ? - Sandy. ...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

kinit(v5): Cannot contact any KDC for requested......
Hi All, This is my first email to clug. I hope there's kerberos expert on this list. I've been battling with kerberos issues for couple of days. I've installed latest kerberos on RH advance server according to documentation. Everything seems ok but kerberos client apps like kinit are not working. I could run kadmin.local. All important principals are created as well. I logged in as root on the same machine where master kdc is running. I've setup DNS as well but no success. I noticed one thing: I did not create principal for root@RTDLINUX.COM. When I ran kinit, this is the message I got in krb4kdc.log file: Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 1 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated (retransmitted?) request from 128.1.1.70, resending previous response When I created this principal, krb5kdc dies silently (no message in log). It seems like kinit is communicating with kdc but somehow krb5kdc process crashes. when I run kinit. kinit complains with this error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials Here's my krb5.conf file: [root@kerberos krb5kdc]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_li...

kinit(v5): Cannot contact any KDC for requested ...
--=-k/lcpzymRBzmrMBCKbwB Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, I am trying to setup kerberos, but I am getting the above problem. My krb5.conf file is attached. Could you please help. I had run the following commands. # kdb5_util create -r chitta.cse.krb -s # kadmin.local -q "addprinc admin/admin" # kadmin.local -q "addprinc kuser" # kadmin.local -q "getprincs" K/M@chitta.cse.krb admin/admin@chitta.cse.krb kadmin/admin@chitta.cse.krb kadmin/changepw@chitta.cse.krb kadmin/history@chitta.cse.krb kadmin/localhost@chitta.cse.krb krbtgt/chitta.cse.krb@chitta.cse.krb kuser@chitta.cse.krb -- Chitta Mandal <chitta@iitkgp.ac.in> IIT Kharagpur --=-k/lcpzymRBzmrMBCKbwB Content-Disposition: attachment; filename=krb5.conf Content-Type: text/plain; name=krb5.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log default = SYSLOG:INFO:USER [libdefaults] ticket_lifetime = 24000 default_realm = chitta.cse.krb default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = true kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] chitta.cse.krb = { kdc = chitta.cse.iitkgp.ernet.in:88 admi...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > I've installed latest kerberos on RH advance server according to > documentation. > Everything seems ok but kerberos client apps like kinit are not working. > > I could run kadmin.local. All important principals are created as well. > > I logged in as root on the same machine where master kdc is running. I've > setup DNS as well but no success. > > I noticed one thing: I did not create principal for root@RTDLINUX.COM. > When > I ran kinit, this is the message I got in krb4kdc.log file: > > Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 > 1 > 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for > krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database > Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated > (retransmitted?) request from 128.1.1.70, resending pre...

Kerberos error 52 (0x34) when using kinit
Hello All, I'm getting the above error when I try to get the initial ticket using kinit. The KDC is Windows 2003 and the client is running on linux. My understanding of kerberos and the KDC in particular is that if the KDC can't send the response back via UDP it will switch over to TCP. My question is this: Does the client need to programmactically take an action if it recieves this error or will this be taken care of "under the hood"? Also the client side (linux), is there a way to force the communication to occur using TCP? TIA, Bruce E. Wells ------------------------------------------------------------------------ ------------------------- ------------------------- CONFIDENTIALITY AND SECURITY NOTICE This e-mail contains information that may be confidential and proprietary. It is to be read and used solely by the intended recipient(s). Citadel and its affiliates retain all proprietary rights they may have in the information. If you are not an intended recipient, please notify us immediately either by reply e-mail or by telephone at 312-395-2100 and delete this e-mail (including any attachments hereto) immediately without reading, disseminating, distributing or copying. We cannot give any assurances that this e-mail and any attachments are free of viruses and other harmful code. Citadel reserves the right to monitor, intercept and block all communications involving its computer systems. _______________________________________...

Logging in with kerberos fails, but acquiring a ticket with kinit does not
Hi! I've set up Ubuntu to auth against a kerberos server. The client is equiped with: krb5-config krb5-user libgssapi-krb5-2 libkrb5-3 libkrb5support0 libpam-krb5 /etc/krb5.config holds: [libdefaults] default_realm = EXAMPLE.COM #dns_lookup_kdc = true #dns_lookup_realm = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { kdc = srv.example.com admin_server = srv.example.com default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [login] krb4_convert = true krb4_get_tickets = false [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log default = FILE:/var/log/kerberos/krb5lib.log admin_server = FILE:/var/log/kerberos/kadmin.log PAM (/etc/pam.d/common-auth): auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_permit.so Now local login: user@host:~$ su - user Password: su: Fehler bei Authentifizierung user@host:~$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000) user@host:~$ kinit us...

Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm)
Hi All, I am having a problem getting a fresh Centos 6.2 machine to join our AD domain. I have installed a base machine with minimal server profile in centos. Its running the krb5-workstation that comes with centos krb5-workstation-1.9-22.el6_2.1.x86_64. We are running a windows 2008 r2 AD cluster with windows 7 and windows xp clients. Long term is to get this working for squid authentication. klist: [root@squid-k net]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: asdwyer@OURCOMPANY.EXAMPLE Valid starting Expires Service principal 03/08/12 14:56:01 03/09/12 00:56:03 krbtgt/OURCOMPANY.EXAMPLE@OURCOMPANY.EXAMPLE renew until 03/15/12 14:56:01 Setup krb5.conf with: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = OURCOMPANY.EXAMPLE dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] OURCOMPANY.EXAMPLE = { kdc = dc-hbt-01.ourcompany.example kdc = dc-hbt-02.ourcompany.example admin_server = dc-hbt-01.ourcompany.example } [domain_realm] .ourcompany.example = OURCOMPANY.EXAMPLE ourcompany.example = OURCOMPANY.EXAMPLE When i run msktutil: [root@squid-k ~]# msktutil -c -b "CN=COMPUTERS" -s HTTP/squid-k.ourcompany.example -k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY-K --upn HTTP/squid-k.ourcompany.example --server dc-hbt-01.ourcompany.examp...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file: [root@kerberos sample]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 kadmin/admin@RTDLINUX.COM 4 kadmin/admin@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM _________________________________________________________ Muzaffar Sultan--Telvent muzaffar.sultan@telvent.abengoa.com Ph: (403)-301-5020 |---------+------------------------------> | |xiongj@rpi.edu | | | | |---------+------------------------------> >----------------------------------------------------------------------------------------------------------------------------| | ...

Potential bug using TCP for kinit to KDC communication
Hi, I am experimenting kinit ticket requesting to KDC using TCP and see that all attempts fall back to UDP. Looking at the code it seems there is a bug, see below. my setup: - MIT Kerberos 1.10.1, built from source code and running this build - kbr5.conf with udp_preference_limit=1 - kdc.conf with kdc_tcp_ports=88 Here is part of the flow in sendto_kdc.c: - KDC hostname gets resolved (resolve_server()) and several connections are attempted, first ones with TCP, and some UDP sockets are created too. - each connection is attempted by a start_connection() call, they all succeed. - at the end of start_connection(), there is an ssflags local variable into which the SSF_READ flag is being set (among others), and this state is saved through cm_add_fd(). - for TCP sockets, the service_tcp_fd() function is called, running a state machine. - inside service_tcp_fd(), for the CONNECTING state, a check is made for the SSF_READ flag. If this flag is set, a comment tells the KDC is sending data to us, which is interpreted as an error, so the TCP socket is disconnected by the client. As seen above, this SSF_READ flag had been explicitly set at the end of start_connection(). - consequently, all the TCP sockets are closed along the same scenario, then Kerberos falls back to UDP sockets, which do succeed in contacting the KDC. So I think there is a bug there, either start_connection() should not set the SSF_READ flag by default, or service_tcp_fd() should't check the SSF_READ during t...

RE: Kerberos error 52 (0x34) when using kinit
Hello Douglas, Thanx for the response. I'll get the latest version from MIT and try again. Regards, Bruce. -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Friday, December 10, 2004 8:57 AM To: Wells, Bruce Cc: kerberos@mit.edu Subject: Re: Kerberos error 52 (0x34) when using kinit Wells, Bruce wrote: > Hello All, > I'm getting the above error when I try to get the initial ticket using > kinit. The KDC is Windows 2003 and the client is running on linux. My > understanding of kerberos and the KDC in particular is that if the KDC > can't send the response back via UDP it will switch over to TCP. My > question is this: Does the client need to programmactically take an > action if it recieves this error or will this be taken care of "under > the hood"? Also the client side (linux), is there a way to force the > communication to occur using TCP? Depends on the release of the Kerberos. MIT 1.2.x did not support TCP, 1.3.x does. Its a recent addition to Java as well. Theylibs wil switch as needed. The krb5.conf [libdefaults] udp_preference_limit = nnn can be used to tell the client to use TCP if the message is over nnn bytes. Setting to 1 in effect says try TCP first. The problem is the ticket is large due to the PAC being included from AD. (IIRC) W2003 servers have a lower cut over size then W2000 servers. > > TIA, > Bruce E. Wells > > -----------------------------...

PLANNING THE USE OF MIT SUGESSTIONS UPON KERBEROS PROTOCOL
PLS COMPLY W/CHOICE PROTOCOLS. MT&KR ATV k 2006041400:59 GMT RSVP mailto:torregimeno@ag-asociados.com Alberto Torregimeno V'zquez Pza. Castilla, Torre 2, 5B Azuqueca de Henares 19200 Guadalajara SPAIN ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

"Keytab extraction using krb5_set_password() from windows KDC"
Hi all, I am working on implementing kerberos on an embedded device. I am aiming at using "windows 2000 server as KDC" . Please note that I had to add host names as users, generate seperate keytab files for each account and copy those on to the target. The problem is it requires as lot of manual stuffs to do. I am looking in to how to automate this procedure. I queried earlier regarding this and got replies which were of good help to me. I am trying to use the netjoin reference code given by Microsoft which is written by M Moeller. In earlier replies I got reply whose link is given below: http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/ 2b856ea605b5a64f/f12f4b8734a9d9cc?q=sandypossible&rnum=3#f12f4b8734a9d9cc The summary of the reply was create the account manually on the windows AD. Then use the kerberos APIs such as change_password() to extract the key. I am trying this approach and I am able to extract the key in to keytab file. Steps followed: 1) Created manually the host name "test" account under "users". Using the ktpass, mapped the host name "test" to the MIT kerberos format with out extracting the key to the keytab file.( This I did by following the reply from the kerberos group ). -> ktpass -princ host/test.kerberos.com@KERBEROS.COM -mapuser test -pass passwd 2) Got the TGT for the Administrator of the domain on the target. and then used the set_password() function which extracta the ...

"Cannot contact any KDC for requested realm" when using ldapsearch
I'm trying to configure Kerberos authentication with OpenLDAP. kinit appears to work fine. However, I get this when using ldapsearch: $ ldapsearch -H ldaps://ldap.endoframe.net -b dc=endoframe,dc=net SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for requested realm) krb5kdc.log has entries like this in it: Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: SERVER_NOT_FOUND: braden/admin@ENDOFRAME.NET for kadmin/rail.endoframe.net@ENDOFRAME.NET, Server not found in Kerberos database Feb 27 00:23:31 rail.endoframe.net krb5kdc[13220](info): AS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330320211, etypes {rep=18 tkt=18 ses=18}, braden/admin@ENDOFRAME.NET for kadmin/admin@ENDOFRAME.NET Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, braden@ENDOFRAME.NET for krbtgt/ENDOFRAME.NET@ENDOFRAME.NET Feb 27 00:25:13 rail.endoframe.net krb5kdc[13220](info): TGS_REQ (4 etypes {18 17 16 23}) 127.0.0.1: ISSUE: authtime 1330319881, etypes {rep=18 tkt=18 ses=18}, braden@ENDOFRAME.NET for krbtgt/ENDOFRAME.NET@ENDOFRAME.NET Obviously, the first one there looks rather susp...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

need help -- kinit (1.9.1) fails to process keytab
Creating a keytab for a Microsoft AD account that is comprehensible to MIT Kerberos (e.g. kinit -k) appears to require heavy wizardry. I've tried everything I can reasonably think of, but kinit -k always fails with the non-sensical error message "kinit: Key table entry not found while getting initial credentials" strace says that kinit is reading the correct file, and the keytab definitely contains keys for the specified principal. (klist -ke sees the content, wether I use ktutil to create the keytab or Microsoft's KTPASS.EXE has no visible impact) So if anything, kinit might tell me that it received something encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e" for the specified principal in the specified keytab -- but the error message it currently prints when providing the full principal name on the command line just doesn't seem to make sense. I've created user account "TestService@FOO.CORP" in an W2K8 AD and "kinit TestService@FOO.CORP" works fine. Shouldn't kinit be in the perfect position, after having just successfully obtained a TGT for that user, to write out a perfect keytab that will work with "kinit -k" -- or otherwise tell me all necessary details about what I will have to type into tools like ktutil or what to supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k" what kinit without -k just succeeded doin...

Automating keytab creation when using windows 2003 KDC and linux clients
Hi all, I am using windows 2003 Domain controller as KDC and I am using linux machines. The steps what I have followed to make these linux machines to use windows 2003 server are as follows: 1. Configured windows 2003 as domain controller, added the linux machines as users. 2. Generated keytab files using ktpass tool. 3. Tested the gss server and gss client communication. It works fine. I notice that I had to add the linux mahines as users, generate seperate keytab files for each account and copy those on to the linux machines. The problem is it requires as lot of manual stuffs to do. I am looking in to how to automate this procedure. Could you please suggest how to go about it ? Could you please let me know if this is the standard method of doing it as of now ? Are there any other methods ? I am really aiming at automating this procedure as it will be difficult to configure non windows systems which act as application servers and if they are large in number. Could you please let me know your suggestions ? - Sandy. Instead of using ktpass on the kdc you can do all directly from the Unix system, by using tools like net ads join from samba. (Keep in mind that you need to authenticate to the kdc to create accounts and if you automate this completly (e.g. with a hardcoded password) the password will be known at some point and may compromise your overall security) See also my response from November http://mailman.mit.edu/pipermail/kerberos/2005-November/008836.html Ma...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Web resources about - kinit request on keytab fails using 2K3sp1 KDC - comp.protocols.kerberos

Wikipedia:Admin coaching/Requests for Coaching - Wikipedia, the free encyclopedia
Are added to the current request list in date order, newest at the end . Coaches will contact people at or near the top of the list, with preference ...

Pope Francis never received request to meet Ballarat sex abuse victims, says Vatican
Child sex abuse survivors who flew to Rome to hear Cardinal George Pell give evidence to a royal commission say their request to meet the Pope ...

Pope Francis never received request to meet Ballarat sex abuse victims, says Vatican
Child sex abuse survivors who flew to Rome to hear Cardinal George Pell give evidence to a royal commission say their request to meet the Pope ...

Energy East Hearings To Go On After Quebec Court Smacks Down Suspension Request 23
But another court challenge is on its way. MONTREAL — A Quebec court has rejected a request by an environmental coalition to have hearings into ...

In new filing, DOJ says its request ‘invades no one’s privacy,’ Apple’s response is ‘corrosive’
The Department of Justice has today filed its latest response to Apple in their fight over unlocking the iPhone 5c used by one of the San Bernardino ...

Balloon Juice Bunker Standoff: The US Government Responds to Peter Santilli’s Request for Bail
Yesterday the US Attorneys in Oregon and Nevada responded to Peter Santilli’s request to get bail . Santilli’s argument is that he’s not a party ...

WFMU Fundraiser Marathon underway; Yo La Tengo playing requests in exchange for pledges this weekend
Hear Yo La Tengo play your favorite song or try to stump the band as part of the NJ independent radio station's annual pledge drive.

Google is seeing a huge surge in copyright takedown requests
Google is seeing a huge surge in companies asking it to remove copyrighted material from its search results. In the last week, copyright holders ...

Judge grants request to unseal Bobbi Kristina autopsy
WXIA-TV reports the judge will likely sign an unsealing order in the coming days

Google copyright takedown requests jump to 76 million in past month
The number of requests from copyright holders to get rid of links to allegedly infringing content has more than doubled compared to last year. ...

Resources last updated: 3/10/2016 10:24:35 PM