[31692] in Kerberos

home help back first fref pref prev next nref lref last post

Re: ktpass fails to create a service principal (win 2000 server SP4)

daemon@ATHENA.MIT.EDU (Julien Montmartin)
Thu Nov 12 13:24:22 2009

MIME-Version: 1.0
In-Reply-To: <4AF9A222.8060500@anl.gov>
Date: Thu, 12 Nov 2009 19:23:47 +0100
Message-ID: <a27fd8fe0911121023n6f19ce2aida1299e94514b766@mail.gmail.com>
From: Julien Montmartin <jmontmartin@gmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

2009/11/10 Douglas E. Engert <deengert@anl.gov>

>
> Julien Montmartin wrote:
>
>> Hi List,
>>
>> I'm working on a kerberized application server and I have some trouble
>> when
>> I try to generate the keytab with ktpass... Although evrything works
>> nicely
>> for demo in the lab, it fails in real world !
>>
>> Here the command I use (windows 2000 server SP4)  :
>>
>> ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/
>> myComputer.private.myCompagnie.com@PRIVATE.MYCOMPAGNIE.COM -mapuser
>> testUser@private.myCompagnie.com -pass xyz -out C:\temp\keytab
>>
>
> -mapuser testUser
>
>
Thanks Douglas, now I get my ketab... But now gss_acquire_cred () fails with
error : "No principal in keytab matches desired name". This is the kind of
code I use :

gss_buffer_desc tmpTok=GSS_C_EMPTY_BUFFER;

tmpTok.value="HTTP@myComputer.private.myCompagnie.com";
//tmpTok.value="HTTP@myComputer" -> Doesn't work either

gss_name_t srvName=GSS_C_NO_NAME;

MS=gss_import_name(&ms, &tmpTok, (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&srvName);

MS=gss_acquire_cred(&ms, srvName, GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
GSS_C_ACCEPT, &fCredentials, NULL, NULL);

Well, once again, this code works in the lab so I guess it's not totaly
wrong... How can I know the "desired name" the library is looking for ? When
I generate my keytab, ktpass said "vno = 1" but when I check it on the
server with kvno it says :

"HTTP/myComputer.private.myCompagnie.com@PRIVATE.MYCOMPAGNIE.COM: kvno = 0".

Isn't it wrong ? I've also tried with kinit :

kinit -k -t C:\keytab HTTP/myComputer.private.myCompagnie.com@
PRIVATE.MYCOMPAGNIE.COM

It says nothing, but doesn't fail... Any idea ?
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post