[31434] in Kerberos
Re: msktutil problem with Windows 2008
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Aug 31 10:49:56 2009
Message-ID: <4A9BE2A5.2010002@anl.gov>
Date: Mon, 31 Aug 2009 09:48:05 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Markus Moeller <huaraz@moeller.plus.com>
In-Reply-To: <h79kfj$u2g$1@ger.gmane.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Markus Moeller wrote:
> I use the latest msktutil (0.3.16-7) and can add an entry to Windows 2008,
> but when I run kinit -kt test.keytab HTTP/fqdn I get
> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to be
> changed ?
I think AD will search for the UPN of HTTP/fqdn when a TGT is requested
by kinit.
Do you have any output from msktutil, or any dump of the
AD entry? The UPN and SPNs would be helpful.
It could be that the UPN of the account is host/fqdn@realm,
with SPNs of host/fqdn and HTTP/fqdn. When you ran
msktutil what options did you use?
Is the UPN HTTP/fqdn@realm?
Did you use the --upn HTTP/fqdn option?
Since AD will let an account have one UPN, with multiple SPNs
deriving the keys from the same password, msktutil will assume
multiple principals in a keytab are for the same account.
We always have one principal per account with separate keytabs,
and use the --upn service/fqdn option too.
>
> Thank you
> Markus
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
