[28971] in Kerberos
Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors about
daemon@ATHENA.MIT.EDU (Jason D. McCormick)
Sun Jan 6 23:05:36 2008
Message-ID: <4781A4F9.1050805@devrandom.org>
Date: Sun, 06 Jan 2008 23:05:13 -0500
From: "Jason D. McCormick" <jason@devrandom.org>
MIME-Version: 1.0
To: "Douglas E. Engert" <deengert@anl.gov>
In-Reply-To: <477E4C1A.6030105@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Douglas E. Engert wrote:
> Richard Silverman asked how did you add the principals to AD?
> If you used the same AD account for both principals, they will use the
> same password to generate the key, and will use the same kvno.
>
> Thus your first problem might be the kvno is not found, in the keytab.
They keys are both kvno=3 on the AD-side and in the client's keytab.
> Are 55 and 59 the length of the message as seen by strace or an error code?
Oh.... yeah. :)
> I assume you ran the gss-server as root, so it could access/etc/krb5.keytab
Yes. Strace shows the gss-server process being able to open the keytab
file.
> The uses of a single AD account for two principals with the same pasword
> is a difference.
Each Kerberos keytab entry has a 1:1 match with an AD user. Or are you
pointing out I'm supposed to be doing something different?
Thanks.
- Jason
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
