RE: kinit request on keytab fails using 2K3sp1 KDC
David,
The easiest solution to this problem is to use the ktpass which was
shipped with Windows 2003, and not the one with SP1.
Alternatively, you can use one of the many tools available that replace
the need for ktpass, and use computer accounts for key storage. These
tools do not suffer from the same issues as ktpass.
It seems that the sp1 version of ktpass stores a key with a specific
kvno in the keytab file, and the kvno in the domain controller for the
same principal is different. This is why you cannot use the keytab file
to authenticate.
Thanks, Tim
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of David Telfer
Sent: 22 March 2006 17:09
To: kerberos@mit.edu
Subject: kinit request on keytab fails using 2K3sp1 KDC
Hello,
I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to
configuring mod_auth_kerb. I have used the following command to
generate a keytab on the KDC;
ktpass -mapuser intsvcuser@smg.plc.uk -princ
HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"
The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have
transfered the keytab to /etc/krb5.keytab. When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab
HTTP/connect.smg.plc.uk@SMG.PLC.UK
I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials
I am able to obtain a ticket directly from the kdc using #./kinit
DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a
clock slew error (I haven't seen an error of this nature appear with
this version of krb so I'm not sure whether it would explicitly state
this).
From reading a few mailing list posts I have discovered some people
having issues with ktpass on service pack 1. One such post;
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thr
ead/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72
details a similar problem I have followed the advice given, ensuring
that the kvno's match and changing the system users password prior to
generating the keytab but to no avail.
My /etc/krb5.conf file is as follows (I've removed every non-essential
entry to ensure that it isn't the issue);
[libdefaults]
default_realm = SMG.PLC.UK
[domain_realm]
connect.smg.plc.uk = SMG.PLC.UK
[realms]
SMG.PLC.UK = {
kdc = pqdomc01.smg.plc.uk
admin_server = pqdomc01.smg.plc.uk
default_domain = smg.plc.uk
}
Has anyone experienced a similar problem to this? I have to assume
there is a problem with the keytab but I'm at a loss as to what the
problem could be.
David Telfer
david@2fluid.co.uk
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
tim.alsop
comp.protocols.kerberos
5541 articles. 
1 followers.
jwinius
5 Replies
722 Views
Similar Articles>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:
TA> It seems that the sp1 version of ktpass stores a key with a
TA> specific kvno in the keytab file, and the kvno in the domain
TA> controller for the same principal is different. This is why you
TA> cannot use the keytab file to authenticate.
Yes; it always sets the kvno in the keytab it writes to 1, regardless of
the value in the KDB (which of course changes each time the key is
extracted). So, you can only use the keytab the first time you extract
it. If you have to do it again, just delete the principal and re-create
it.
--
Richard Silverman
res@qoxp.net
res49On Wednesday 22 March 2006 18:19, Tim Alsop wrote: > Alternatively, you can use one of the many tools available that replace > the need for ktpass, and use computer accounts for key storage. These > tools do not suffer from the same issues as ktpass. What are that tools? Can you send searchkeywords or pointers so I can find and use them? Thank you, Achim ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
kerberosmlRichard E. Silverman wrote: >>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, and the kvno in the domain > TA> controller for the same principal is different. This is why you > TA> cannot use the keytab file to authenticate. > > Yes; it always sets the kvno in the keytab it writes to 1, regardless of > the value in the KDB (which of course changes each time the key is > extracted). So, you can only use the keytab the first time you extract > it. If you have to do it again, just delete the principal and re-create > it. ktpass allows you to specify the kvno on the command line. You can obtain the kvno for the service principal with the MIT kvno utility. Jeffrey Altman
jaltman2>>>>> "JA" == Jeffrey Altman <jaltman2@nyc.rr.com> writes:
JA> Richard E. Silverman wrote:
>>>>>>> "TA" == "Tim Alsop" <Tim.Alsop@cybersafe.com> writes:
>>
TA> It seems that the sp1 version of ktpass stores a key with a
TA> specific kvno in the keytab file, and the kvno in the domain
TA> controller for the same principal is different. This is why you
TA> cannot use the keytab file to authenticate.
>> Yes; it always sets the kvno in the keytab it writes to 1,
>> regardless of the value in the KDB (which of course changes each
>> time the key is extracted). So, you can only use the keytab the
>> first time you extract it. If you have to do it again, just delete
>> the principal and re-create it.
JA> ktpass allows you to specify the kvno on the command line. You
JA> can obtain the kvno for the service principal with the MIT kvno
JA> utility.
Somehow I never noticed that, probably because I couldn't imagine why
you'd need such a thing. :) Thanks.
JA> Jeffrey Altman
--
Richard Silverman
res@qoxp.net
Achim Grolms wrote: > On Wednesday 22 March 2006 18:19, Tim Alsop wrote: > > >>Alternatively, you can use one of the many tools available that replace >>the need for ktpass, and use computer accounts for key storage. These >>tools do not suffer from the same issues as ktpass. > > > What are that tools? > Can you send searchkeywords or pointers so I can find and use them? Google for msktutil which will get you to http://www.pppl.gov/~dperry/mskturil-0.3.16.tar.gz We are using this. Goolge for netjoin This is an update of the MS netjoin. Samba has some tools, but adds too many principal in many cases. Something else that can be very helpfull is to use the Windows mmc with the ADSI edit to lok at the registry. You can look at the account that was created, and look at the KVNO as the ms-DS-KeyVersionNumber. Other interesting fields are the userPrincipalName, and servicePrincipalName. Keep in mind that the Windows has a single password that is used to generate the keys on the fly for each of the principals (userPrincipalName and servicePrincipalName) asociated with the account. Kerberos uses a seperate key for each principal created when the kettrab is created. So if you change the password on the account, you have to change the keys in the keytab at the same time for all the principal assiciated with that account. Msktutil tries to do this for your. > > Thank you, > Achim > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
deengert