f



need help -- kinit (1.9.1) fails to process keytab

Creating a keytab for a Microsoft AD account that is comprehensible
to MIT Kerberos (e.g. kinit -k) appears to require heavy wizardry.

I've tried everything I can reasonably think of, but kinit -k
always fails with the non-sensical error message
"kinit: Key table entry not found while getting initial credentials"

strace says that kinit is reading the correct file, and the
keytab definitely contains keys for the specified principal.
(klist -ke sees the content, wether I use ktutil to create
 the keytab or Microsoft's KTPASS.EXE has no visible impact)

So if anything, kinit might tell me that it received something
encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e"
for the specified principal in the specified keytab -- but the error
message it currently prints when providing the full principal
name on the command line just doesn't seem to make sense.


I've created user account "TestService@FOO.CORP" in an W2K8 AD
and "kinit TestService@FOO.CORP" works fine.  Shouldn't kinit
be in the perfect position, after having just successfully obtained
a TGT for that user, to write out a perfect keytab that will
work with "kinit -k" -- or otherwise tell me all necessary details
about what I will have to type into tools like ktutil or what to
supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k"
what kinit without -k just succeeded doing?


In case that anyone happens to know the exact sequence of commands
and their command line parameters that I would have to type in order
to obtain a working keytab for an ActiveDirectory 2008R2 account
that will be usable with MIT Kerberos 1.9.1, I would be glad to know.

If I ever manage to get a working configuration (keytab),
the clients that should ultimately should be able to connect
to the service are WinXP,2003,Vista and Win7, so it should probably
be using an arcfour-hmac enctype, I assume.

(I will NOT need hostbased service names, in case you're wondering,
 and I did already call "SETSPN dont/care FOO.CORP\TestService" to
 allow 1-/2-Token authentications with the TestService account
 for a post-2000 ActiveDirectory).

-Martin


PS: my windows administrative expertise is limited.
    I have setspn.exe, ktpass.exe within reach and know how to
    run the MMC snap-in "Active Directory - Users and Computers",
    but know nothing else about AD and LDAP...


0
6/30/2011 3:42:56 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
355 Views

Similar Articles

[PageSpeed] 32

Reply:

Similar Artilces:

1.9.1-p376 vs. 1.9.1-p378
I just noticed that both http://www.ruby-lang.org/en/ and http://www.ruby-lang.org/en/downloads/ advertise 1.9.1-p376, but ftp://ftp.ruby-lang.org/pub/ruby/1.9/ also contains ruby-1.9.1-p378 as well? Which is preferred? Regards, Jeremy Henty Jeremy Henty wrote: > I just noticed that both http://www.ruby-lang.org/en/ and > http://www.ruby-lang.org/en/downloads/ advertise 1.9.1-p376, but > ftp://ftp.ruby-lang.org/pub/ruby/1.9/ also contains ruby-1.9.1-p378 as > well? Which is preferred? > > Regards, > > Jeremy Henty p376 is the advertised as the ...

plot 1, -1, 1, -1, -1
Hi, How to plot those numbers in a rectangle style? thanks x = linspace(-4*pi,4*pi,1000); y = sin(x); plot(x,sign(y)), axis([-12 12 -2 2]) PZ <patrick.zou@gmail.com> wrote in message <d64c545f-f2ac-4f87-af89-051bda896707@x6g2000vbg.googlegroups.com>... > Hi, > > How to plot those numbers in a rectangle style? > > thanks help stairs stairs([-1 1 -1 1 -1 1]) hth Jos ...

Help construct a tree 1 -> 1.1 -> 1.2 -> 2 -> 2.1 -> 2.1.1 etc HELP !!!!!!!
Folks I need help. I have a view or(Text file) as follows: '1 2.1 1.1.1 1.1.1.1 2.2.1 1.3 2 Dim Parent() As String Dim Level1() As String Dim Level2() As String Dim Level3() As String etc .. How can I construct a tree. parent, children, grand children etc... and also figure out # of children # of grand children etc Thanks "Mos" <lndebug@gmail.com> wrote in message news:875cd1df-7605-45ab-9f7b-f1edec25d47b@r34g2000vbi.googlegroups.com... > Folks I need help. I have a view or(Text file) as follows: > > '1 > 2.1 > 1.1.1 > 1....

Help construct a tree 1 -> 1.1 -> 1.2 -> 2 -> 2.1 -> 2.1.1 etc HELP !!!!!!!
Borland Guru's I need help I have a text file as follows: 1 2 1.1 1.1.1 3.3 2.3 etc I cannot use a control active x tree I need to read this file and 1 is a parent 1.1 is a child of parent 1 and 2 is a parent 2.3 is a child of parent 2 and construct in search a way using arrays or probably a recursive function No xml parsing just read a file. Does any body have a function "Mos" <lndebug@gmail.com> wrote in message news:c1aaeb20-3c1f-408d-9986-bb8d28a87509@s31g2000vbp.googlegroups.com... > I have a text file as follows: > 1 > 2 > 1.1 >...

Help construct a tree 1 -> 1.1 -> 1.2 -> 2 -> 2.1 -> 2.1.1 etc HELP !!!!!!!
Folks I need help. I have a view or(Text file) as follows: '1 2.1 1.1.1 1.1.1.1 2.2.1 1.3 2 Dim Parent() As String Dim Level1() As String Dim Level2() As String Dim Level3() As String etc .. How can I construct a tree. parent, children, grand children etc... and also figure out # of children # of grand children etc Thanks "Mos" <lndebug@gmail.com> wrote in message news:875cd1df-7605-45ab-9f7b-f1edec25d47b@r34g2000vbi.googlegroups.com... > Folks I need help. I have a view or(Text file) as follows: > > '1 > 2.1 > 1.1.1 > 1....

require in 1.9.2 and 1.9.1
#i have a file 'user.rb' in the current directory. if i ... require "user" #i get this messege (1.9.2 in xp and in windows 7) ##<internal:lib/rubygems/custom_require>:29:in `require': no such file to ##load -- user_input (LoadError) ## from <internal:lib/rubygems/custom_require>:29:in `require' ##this worked fine in 1.9.1 in xp. and when i puts $: #in 1.9.1 the last load path is '.', but '.' is not in load path for #1.9.2 #works fine if i require_relative 'user' #or if i load 'user.rb' #a bug or a reason for this ...

Help needed - Safari, Software update and help a mess
(Apologies first for any dupe since this didn't make it to Giganews from original posting via Newguy yesterday afternoon) Hi, Not sure where to start on this oddity. What is the common thread/file that would disable Safari, cause the software update option to stall and say there is no internet connection, and also fumble the Mac Help and give me the attached message when I ask "Where are the safari bookmarks" and then select the lines seen? Suffice it to say that it all started last night after Comcast deleted one of my IP addresses which was a hold over from a previou...

need help in GARCH (1,1)
I am trying to estimate a set of data using GARCH(1,1) model. is there any example codes can be refered?i have try in the GARCH toolbox but I cant get the estimated data and exact dat ploted.What i get is onli the estimated std deviation.. pls help ...

Need help with ZSDOS 1.1
I wanted to try a newer version of CPM 2.2, so I downloaded ZSDOS from the web. The version gives the user the ability to run with the embedded DateStamper routines called ZDDOS (but you loose some of the built-in functions), or with an external DateStamper called ZSDOS (and retain the built-in functions). Since I allow the BDOS to hold 4K of code, rather than the standard 3.5K code, I choose to use ZSDOS and include the embedded DateStamper routines. I removed or modified several of the "IF" statements so that I could achieve my objective. It does fit nicely within the 4K space. I ...

help in compile hpijs-1.6.1 under suse linux 9.1 pro and AMD64 ATHLON
Hi friends: i have suse linux 9.1 pro AMD64 ATHLON i get this : gab@linux:~/hpijs-1.6.1> ./configure configure: loading cache /dev/null ../configure: line 1: ./configure:: No existe el fichero o el directorio checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checki...

ANN: TelStar 1.9.1.1
InnerSystem Software Ltd is pleased to announce the release of TelStar version 1.9.1.1. A lean and quick telnet client for windows, suitable for corporate installations For more information please visit our web site at http://www.innersystem.com/telstar.html. You may download the trial version here: http://www.innersystem.com/telstar.zip Download size: 687 KB TelStar is a lean and quick telnet client for Windows 95 and up. It supports and displays visual attributes such as bold, dim, blink, underline, italic, double-width and double-height, and colors. The software s...

Java 1.1, 1.31 needed?
Do I need these? If not, is there anything more involved to removing them than to simply kill the directories JAVA11 and JAVA131? Anything in OS2.INI/OS2SYS.INI and/or the registry? -- ------------------------------------------------------------------------ News is the first rough draft of History... War is good for business - invest your son. --antiwar bumper sticker from the 1960s ------------------------------------------------------------------------ Joe Negron from Sheepshead Bay, Brooklyn, NY, USA -- Posted via a free Usenet account from http://www.teranews.com ...

Open Transport 1.1.1 help
Hi, I am trying to write a small application for a 68k mac. I'd like it to use ftp or http to connect to a remote server and grab some data. I have Apple's MyDownloadHTTPSimple compiled and 'running.' It hangs on OTRecv and I don't know how to debug it. I tried little endian and big endian address formats for the GET command and the code sails right through until it hits OTRecv. Is there any example code out there I can look at? Is there an ftp or http server example? The more appropriate question may be, does anybody still program 68k machines?! Thanks, Chris On Sep 3, 12:26 am, ch...@communityrenewables.com wrote: > Hi, > > I am trying to write a small application for a 68k mac. I'd like it to > use ftp or http to connect to a remote server and grab some data. > > I have Apple's MyDownloadHTTPSimple compiled and 'running.' It hangs > on OTRecv and I don't know how to debug it. I tried little endian and > big endian address formats for the GET command and the code sails > right through until it hits OTRecv. > > Is there any example code out there I can look at? Is there an ftp or > http server example? The more appropriate question may be, does > anybody still program 68k machines?! > > Thanks, > Chris Okay! All is well. It seems the key was to use Apple's OTSimpleDownloadHTTP example. With a few tweaks, it worked on my 68k mac. Thanks, ...

Help! Can't download e-mail (Eudora 6.1.1 and OS 9.1)
For three days now, Eudora (v. 6.1.1) has crashed and frozen my Mac (G4, OS 9.1) when it tries to delete old e-mail on the Southwestern Bell server. Eudora gets almost to the end of deleting between 300 and 400 old messages (mostly spam), then freezes, and then my Mac freezes. As a result, I can't receive any e-mail (and the spam backlog keeps growing). I can send messages, but only if I send them before checking for new ones. Newsgroups and the Web still work, as do all applications that I've run since the e-mail problem began. Running a fresh copy of Eudora from an external hard ...

1.9.2 RC2 Uses 1.9.1 for various directories
Using 1.9.2 RC2 and building from source, I am seeing the install use 1.9.1 as the directory that various sub dirs are using, like vendorlib, gems, etc. In previous releases, this was usually 1.9. Is the change to a 3-level version for these dirs intended, and if so, why is 1.9.1 used for a 1.9.2 release? -- Posted via http://www.ruby-forum.com/. On Aug 2, 4:22=A0pm, Marc Zampetti <zampet...@aim.com> wrote: > Using 1.9.2 RC2 and building from source, I am seeing the install use > 1.9.1 as the directory that various sub dirs are using, like vendorlib, > gems, etc. I...

Ruby 1.9.2 package has library version 1.9.1?
Hi! I downloaded Ruby-1.9.2-0p136 and run configure. It finishes with: ext/include/x86_64-linux/ruby/config.h updated ruby library version = 1.9.1 configure: creating ./config.status config.status: creating Makefile So Ruby has a library, which has a different version than the ruby interpreter? thanks in advance ralf Hi Ralf, Did you figure out the version mismatch problem? I have the same issue with 1.9.2p180 on OS X 10.6.6....need to sort this out asap. -- Posted via http://www.ruby-forum.com/. ...

Garch(1,1) by BEKK need a help.
Hi, I am trying to perform a multivariate Garch(1,1) model.The specification of the var-covar matrix is the one proposed by BEKK: H(t) = C'C + A'e(t-1)e'(t-1)A + B'H(t-1)B where: i) H= variance of the excess return ii) C= N x N symmetrix matrix iii) A and B are= N x N matrices of constant coefficients, and place restrictions on H(t) in order to ease computations. We assume: i) that the variances depend only on lagged squared errors and lagged conditional variances ii) that the covariances depend only upon cross-products of lagged errors and lagged conditional covariances. Hence we restrict the matrices A and B to be diagonal. I hope that someone can help me, Many thanks in advance ...

Kerberos 1.9.1 locking issues
Since upgrading to 1.9.1, we are seeing a lot more locking issues. I've turned off success logging but I've still gotten "Cannot lock database" over 150 times this month on password changes. As we are in the process of having everyone change their password (over several months), I'm concerned that this is going to cause problems for us. Is anyone else seeing these kinds of issues? Are there any recommended ways to fix or help with this? thanks, ds Dave Steiner Rutgers University On Wed, 2011-06-22 at 15:09 -0400, Dave Steiner wrote: > Is anyone else seeing these kinds of issues? Are there any > recommended ways to fix or help with this? The database locking discipline is hardcoded and not configurable, but if you're able to recompile the code, simply bumping MAX_LOCK_TRIES in plugins/kdb/db2/kdb_db2.c to a larger value (from 5 to 15, say) might help. Without further analysis, I'm not sure whether your problem owes to changes in 1.9.1 and how much it's just due to increasing load. Changes to principals by kadmind requires an exclusive lock on the database, and trying five times at 1-second intervals could certainly fail if the KDC happened to have the database open for reading at five particular times. (It would be much more robust if we could get a blocking lock with a timeout. Unfortunately, I'm not aware of any good way to do that without using alarm signals, which isn't especially nice to do inside a library.) ...

HTML on jdk 1.1 need help
Hi, All! Whether instead of somebody knows of components for display or editing html on jdk 1.1? I need a component vith a minimum size. Thakns! On 24 Jun 2004 00:01:13 -0700, faraon325@ukr.net (Igor Chaika) wrote or quoted : > >Whether instead of somebody knows of components for display or editing >html on jdk 1.1? I need a component vith a minimum size. see http://mindprod.com/jgloss/htmlrendering.html check out Calpane. -- Canadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java ...

1.9.1?
Hi there, I'm about 2 weeks into my learning attempt at Ruby (1.8.6 is what I've cut my teeth on). Can someone give me a rational assessment of the differences between the two language versions, and which one I should continue to pursue? I'm mainly using Ruby with Rails to make basic webapps for my own edification. Thanks! Alex On Tue, Feb 3, 2009 at 6:14 PM, yuckysocks <alex.m.mcpherson@gmail.com> wro= te: > Hi there, > > I'm about 2 weeks into my learning attempt at Ruby (1.8.6 is what I've > cut my teeth on). > > Can someone give me a ration...

1.9.1
I tried to instal Ruby 1.9.1 based on the instructions at hivelogic.com but after completing the process I discovered that the Ruby.h file was missing (Discovered when I tried to install Rmagick.). I fired up Textmate and entered puts "Hello" and hit command-R. Command not found. Is there something missing from these instructions or is there something wrong with the code? Help!! ...

PSP 9.1.1 patch refusal
This says is all. fugitive wrote: > This says is all. If you go to Control Panel then Add & Remove Programs, is there an entry among the Jasc ones that will have a longish number in its name and "ie" and "plugin". If so, uninstall it and then try the 9.01 patch. -- Tim On Fri, 24 Dec 2004 01:02:33 GMT, "Tim" <timmorr64@XremoveXhotmail.com> wrote: >fugitive wrote: >> This says is all. > >If you go to Control Panel then Add & Remove Programs, is there an entry >among the Jasc ones that will have a longish number in its ...

PSP 9.1.1 patch refusal
This says is all. fugitive wrote: > This says is all. If you go to Control Panel then Add & Remove Programs, is there an entry among the Jasc ones that will have a longish number in its name and "ie" and "plugin". If so, uninstall it and then try the 9.01 patch. -- Tim On Fri, 24 Dec 2004 01:02:33 GMT, "Tim" <timmorr64@XremoveXhotmail.com> wrote: >fugitive wrote: >> This says is all. > >If you go to Control Panel then Add & Remove Programs, is there an entry >among the Jasc ones that will have a longish number in its ...

[ANN] RubyInstaller: 1.8.7-p299, 1.9.1-p429 and 1.9.2-rc1 installers and packages released
Hello, Wanted to inform that RubyInstaller project released installers and packages for 1.8.7-p299 and 1.9.1-p429, available as usual at RubyForge: http://rubyforge.org/frs/?group_id=3D167 We have also uploaded 1.9.2-rc1 into experimental section of the same group download page. Regards, --=20 Luis Lavena AREA 17 - Perfection in design is achieved not when there is nothing more to add, but rather when there is nothing more to take away. Antoine de Saint-Exup=E9ry ...

Ip-Address 1.1.1.1
A traceroute to 213.176.224.4 showed following results: # traceroute -In -m10 213.176.224.4 traceroute to 213.176.224.4 (213.176.224.4), 10 hops max, 38 byte packets 1 212.152.136.1 103.658 ms 99.452 ms 109.767 ms 2 212.152.151.2 99.646 ms 99.680 ms 99.821 ms 3 62.218.1.93 99.689 ms 109.665 ms 99.751 ms 4 212.152.192.182 99.762 ms 1359.690 ms 99.718 ms 5 193.203.0.72 104.398 ms 105.014 ms 109.781 ms 6 146.188.2.229 109.696 ms 109.733 ms 99.771 ms 7 146.188.14.113 119.710 ms 199.720 ms 209.720 ms 8 146.188.49.194 119.695 ms 129.663 ms 119.808 ms 9 1.1.1.1 109.731 ms 129.672 ms 119.772 ms 10 * * * 1.1.1.1? I thought that 1.0.0.0/8 is reserved by iana according to: http://www.iana.org/assignments/ipv4-address-space or do I understand something wrong here? thx Leopold In article <pan.2005.02.07.19.19.33.29091@utanet.at>, Leopold Schweighofer <leos@utanet.at> wrote: :A traceroute to 213.176.224.4 showed following results: : 8 146.188.49.194 119.695 ms 129.663 ms 119.808 ms : 9 1.1.1.1 109.731 ms 129.672 ms 119.772 ms :I thought that 1.0.0.0/8 is reserved by iana according to: :http://www.iana.org/assignments/ipv4-address-space :or do I understand something wrong here? No you are correct. It appears what has happened is that UUNet/PIPEX have a NATing device attached to them which has been set with an outside IP of 1.1.1.1. That works fine for receiving traffic, and...

Web resources about - need help -- kinit (1.9.1) fails to process keytab - comp.protocols.kerberos

Andrussow process - Wikipedia, the free encyclopedia
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. , a non-profit organization.

A-League: Kevin Muscat blasts Arnold, FFA disciplinary process ahead of 'massive game'
Melbourne Victory coach Kevin Muscat has blamed Sydney boss Graham Arnold for getting his star winger Kosta Barbarouses banned for two matches ...

Council wants review into controversial high-rise development process
... Bayswater will lobby the state government to review what a councillor has called the "anti-democratic" state development assessment panel process. ...

French shipping exec on Amazon: 'It is in the process of becoming our largest competitor'
... in mind, at least one of its shipping partners is saying the writing on the wall is clear. “Amazon is our biggest customer. It is in the process ...

Secrecy abides in Supreme Court selection process - CNNPolitics.com
When Sonia Sotomayor first learned that President Barack Obama was nominating her to the Supreme Court, the White House made an unusual request: ...

Hoyer on Supreme Court Nomination: ‘Constitution Doesn’t Mandate’ Senate To Advance Nominee Process
Minority Whip Steny Hoyer (D-Md.) said the Constitution does not require the U.S. Senate to give “advice and consent” on President Barack Obama’s ...

The Endangered Critical Process in the Digital Age
... for ones that provide links to additional material. The reason is that those help move my thinking forward. They are part of the critical process ...

Senate Republicans join Paul Ryan's House in failing on budget process
... D. Ryan was once a celebrated Budget Committee chairman. It would also deny Republicans a chance to employ a special filibuster-proof procedure ...

Gianni Infantino to start 2026 World Cup bidding process - ESPN FC
Elected to lead FIFA into a new era, President Gianni Infantino spent his first day at the office in fluorescent green boots on Monday.

EXCLUSIVE PICS: Ryan Gosling Celebrates Eva Mendes' 42nd Birthday With Luxury Getaway, Saves a Dog in ...
EXCLUSIVE PICS: Ryan Gosling Celebrates Eva Mendes' 42nd Birthday With Luxury Getaway, Saves a Dog in the Process

Resources last updated: 3/10/2016 9:32:29 PM