[29687] in Kerberos
Re: Can kinit but not kvno
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Apr 17 10:46:07 2008
Message-ID: <480753F7.5090206@anl.gov>
Date: Thu, 17 Apr 2008 08:43:19 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: John Gilbertson <jgilbert@liv.ac.uk>
In-Reply-To: <fu7crg$m7f$1@news.liv.ac.uk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
John Gilbertson wrote:
> Hi, I'm trying to set up MIT Kerberos so that we can authenticate
> against an Active Directory service (Windows Server 2003 I believe) and
> most things seem to be working, I just can't get kvno to work or keytab
> files (Probably because of the kvno issue)
...
>
> So as you can see everything seems to work fine, I just can't use kvno.
> What things should I be looking at to try to fix this? Could it be a
> setting on the AD end denying such requests?
>
kvno is requesting a service ticket. But user accounts in AD don't
normally have a servicePrincipalName attribute.
kvno should work for actual service principals like:
kvno host/livad.liv.ac.uk
Why do you need to use kvno with a user account?
If you need to know the kvno for the user, you can use ldap or ADSI Edit
and search for the user and read the msDS-KeyVersionNumber attribute.
You might be able to add a servicePrincipalName to the user account if
you really need to get a service ticket for the user.
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
