[30259] in Kerberos
Re: pamkrbval: KDC policy rejects request for this entry
daemon@ATHENA.MIT.EDU (ricurtis@gmail.com)
Fri Aug 29 16:28:46 2008
From: ricurtis@gmail.com
Date: Fri, 29 Aug 2008 03:39:59 -0700 (PDT)
Message-ID: <5239109a-54e0-4d4c-ae5f-3352d5711e16@c65g2000hsa.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I am making some progress with this and no longer believe it to be a
Kerberos issue (not directly)..
Our windows admins have enabled enhanced logging of the KDC service in
Windows, and now instead of Just a straight "0xC: KDC Policy rejects
this request", we still get the 0xC error, but we get enhanced info
stating "NT Status: STATUS_INVALID_WORKSTATION (0xc0000070)"
If anyone want to know the registry keys changed to get this logging,
it was HKLM\SYSTEM\CurrentControlSet\Services\KDC, then kdcdebuglevel
(DWORD, value=0x10000000) and kdcextraloglevel (DWORD, 0x00000004)
It looks as though the request is being rejected because AD expects to
find some form of workstation entry for this host. I thought the
ktpass side should cater for this, but obvjously I am wrong.
I will continue to investigate this with our Windows admins and will
post back if I fix it.
On 27 Aug, 20:49, Tom Yu <t...@MIT.EDU> wrote:
> "Richard Curtis" <ricur...@gmail.com> writes:
> > Hi,
> > I am trying to get an HPUX 11i box to authenticate against our
> > active directory (Windows 2003r2) domain with kerberos but I am
> > getting nowhere fast.
>
> > As per the docs I have, I have created a user account in active
> > directory, then used "ktpass -princ
> > host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
> > -pass <pass> -out c:\krb5.keytab"
> > The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> > keep getting "KDC policy rejects request for this entry"
>
> It may be that the AD server is forbidding the use of the
> "host/unix_client.domain.host.com" principal as a client principal.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
