[28975] in Kerberos
Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors about
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Jan 7 10:56:45 2008
Message-ID: <47824B51.1080603@anl.gov>
Date: Mon, 07 Jan 2008 09:54:57 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "Jason D. McCormick" <jason@devrandom.org>
In-Reply-To: <4781A4F9.1050805@devrandom.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jason D. McCormick wrote:
> Douglas E. Engert wrote:
>
>> Richard Silverman asked how did you add the principals to AD?
>> If you used the same AD account for both principals, they will use the
>> same password to generate the key, and will use the same kvno.
>>
>> Thus your first problem might be the kvno is not found, in the keytab.
>
> They keys are both kvno=3 on the AD-side and in the client's keytab.
>
>> Are 55 and 59 the length of the message as seen by strace or an error code?
>
> Oh.... yeah. :)
>
>> I assume you ran the gss-server as root, so it could access/etc/krb5.keytab
>
> Yes. Strace shows the gss-server process being able to open the keytab
> file.
>
>> The uses of a single AD account for two principals with the same pasword
>> is a difference.
>
> Each Kerberos keytab entry has a 1:1 match with an AD user. Or are you
> pointing out I'm supposed to be doing something different?
No. Just making sure you did not fall into the trap of using the same account
for two principals.
>
> Thanks.
>
> - Jason
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
