[24147] in Kerberos
Can't make the keytab work
daemon@ATHENA.MIT.EDU (Stian Selnes)
Mon Jun 27 12:44:08 2005
Message-ID: <4afa869805062709423dbeb96f@mail.gmail.com>
Date: Mon, 27 Jun 2005 18:42:32 +0200
From: Stian Selnes <stianse@gmail.com>
To: kerberos@mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Reply-To: Stian Selnes <stianse@gmail.com>
Errors-To: kerberos-bounces@mit.edu
Hi,
I'm trying to logon using kerberos and telnet between to linux
machinges. The host has address asterisk.tsip.lab. I'm using Microsoft
Live Communication Server 2005 as KDC. The problem is this (I followed
the steps at this site:
http://www.cromwell-intl.com/unix/kerberos.html ):
I let ktpass.exe generate a keytab for me:
ktpass -princ host/xxx.yyy.com@YYY.COM -mapuser xxx.yyy.com -pass zzz
-out temp.keytab
I transfered this keytab over to the host and used ktutil to add the
keytab to the file /etc/krb5.keytab. It seems to me like this process
has worked because when I now use ktutil I get:
# ktutil: rkt /etc/krb5.keytab
# ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/xxx.yyy.com@YYY.COM (DES cbc mode with RSA-MD5)
And here come's the problem. When I type:
# kinit -5 -k -t /etc/krb5.keytab xxx.yyy.com
to verify that I can get credentials using the keytab, nothing
happens. Well, actually, I can see from Ethereal that I'm sending an
AS-REQ to KDC, and get a KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED in
return. And then nothing happens. Even no error messages.
If i try to get a credential not using the keytab:
# kinit xxx.yyy.com
Password for xxx.yyy.com@YYY.COM:
everything works fine, and i can use kerberos and telnet from the
second computer to log on to xxx.yyy.com. Therefore, it must be
something wrong with the keytab or the way I'm trying verify it?
Anybody got some tips, please?
Here's my krb5.conf file:
[libdefaults]
default_realm = YYY.COM
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
YYY.COM = {
kdc = lcs2005.yyy.com:88
kpasswd_server = lcs2005.yyy.com:464
}
[domain_realm]
.yyy.com = YYY.COM
yyy.com = YYY.COM
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
