[31425] in Kerberos
Re: msktutil problem with Windows 2008
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Aug 29 08:02:11 2009
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 29 Aug 2009 12:47:44 +0100
Message-ID: <h7b5a5$tb0$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <CF5A795E7B16440FA314ED54D5645C0B@VAIOLaptop>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I was too quick. I get it to work with host/fqdn (e.g. kinit -kt
/etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use
AES-256 CTS mode with 96-bit SHA-1 HMAC.
klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (ArcFour with
HMAC/md5)
3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
with 96-bit SHA-1 HMAC)
3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
with 96-bit SHA-1 HMAC)
klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/centos.dom.local@DOM.LOCAL
Valid starting Expires Service principal
08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL@DOM.LOCAL
renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode
with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
klist -ekt /etc/HTTP.keytab
Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (ArcFour with
HMAC/md5)
2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
with 96-bit SHA-1 HMAC)
2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
with 96-bit SHA-1 HMAC)
kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
kinit(v5): Preauthentication failed while getting initial credentials
Markus
"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:CF5A795E7B16440FA314ED54D5645C0B@VAIOLaptop...
> Wolf-Agathon,
>
> I did export the keytab, but I found out the Hotfix 951191 was not
> installed on the 2008 DC.
>
> Markus
>
> ----- Original Message -----
> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon@arcor.de>
> To: <huaraz@moeller.plus.com>; <kerberos@mit.edu>
> Sent: Saturday, August 29, 2009 11:27 AM
> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 2008
>
>
>> Howdy Markus
>>
>> Sound to me that you're trying to use a kaytab without expoting the key
>> to
>> your keytab file test.keytab
>>
>> am I right ?
>>
>> cheers
>> Wolf-Agathon
>>
>>
>> ----- Original Nachricht ----
>> Von: Markus Moeller <huaraz@moeller.plus.com>
>> An: kerberos@mit.edu
>> Datum: 29.08.2009 00:07
>> Betreff: msktutil problem with Windows 2008
>>
>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>> 2008,
>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need
>>> to
>>> be
>>>
>>> changed ?
>>>
>>> Thank you
>>> Markus
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos