[32337] in Kerberos
RE: Kerberos AS-REQ
daemon@ATHENA.MIT.EDU (Yang Li)
Fri May 14 13:24:53 2010
Message-ID: <BLU133-DS1768AE625CF39EAC5AF5EFCEFD0@phx.gbl>
From: "Yang Li" <sharepointlink@hotmail.com>
To: "'mark'" <mark@mproehl.net>, <kerberos@mit.edu>
In-Reply-To: <4BED69D3.9020802@mproehl.net>
Date: Fri, 14 May 2010 13:24:37 -0400
MIME-Version: 1.0
Content-Language: en-us
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thanks Mark!
I didn't realize it is case sensitive, but I try with HTTP, the same error.
one follow-up question, in our environment, we have multiple KDC, is there a
way to specify which KDC Kvno or Kinit can connect to? The odd thing is,
although I can't get the HTTP service ticket by kinit or kvno, browser(IE)
can get it when doing http request ( verified by using klist after browsing
in IE), but IE hits a different KDC. So i want a way to enforce them to hit
the same KDC. Any suggestions?
Thanks, -Yang
-----Original Message-----
From: mark [mailto:mark@mproehl.net]
Sent: Friday, May 14, 2010 11:19 AM
To: kerberos@mit.edu; sharepointlink@hotmail.com
Subject: Re: Kerberos AS-REQ
Hi,
you can get tickets for any service principal by sending a AS-REQ with
kinit. By default kinit requests TGTs (i.e. service tickets for
krbtgt/REALM@REALM). -S overides this behaviour. So "kinit -S
HTTP/server.domain@REALM"
should just get you an initial service ticket for the HTTP service on
server.domain instead of a TGT.
If you just want to check if the KDC can issue service tickets for
HTTP/server.domain by TGS-REQ, you can use "kvno HTTP/server.domain"
after doing a kinit.
I wonder why the server name in your wireshark is written lowercase
(http/server.domain instead of HTTP/server.domain). Could that be the
reason for PRINCIPAL_UNKNOWN error?
Regards,
Mark Pröhl
On 05/14/2010 04:38 PM, Yang Li wrote:
> When I run Kinit -S HTTP/server.domain. KDC returns with
PRINCIAPL_UNKNOWN
> error.
>
>
> >From WireShark, I can see client makes a (KRB 5 )AS-REQ to KDC, but its
> KDC_REQ_BODY has the server name (principal) as http/server.domain. is
this
> the right behavior? should client sends krbtgt/domain in its request to
KDC
> instead? My understanding is the purpose of AS-REQ is only to get TGT? can
> someone help me understand this?
>
> Thanks, -Yang
>
>
>
> -----Original Message-----
> From: Tom Parker [mailto:tparker@cbnco.com]
> Sent: Wednesday, May 12, 2010 1:40 PM
> To: Yang Li
> Cc: 'Russ Allbery'; kerberos@mit.edu
> Subject: Re: error message after kdestroy
>
> klist should always fail after a kdestroy
>
> kinit should work fine to get you a new TGT
>
> On 05/12/2010 01:32 PM, Yang Li wrote:
>
>> Thanks Russ for your response.
>>
>> What puzzle me is, this behavior is not consistent. Most of time, after
>> kdestroy, either klist or kinit can still get TGT ticket, but i did get
>>
> the
>
>> error message sometimes after kdestroy, is that odd?
>>
>> Thanks, -Yang
>>
>>
>>
>>
>> -----Original Message-----
>> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf
>> Of Russ Allbery
>> Sent: Wednesday, May 12, 2010 12:43 PM
>> To: kerberos@mit.edu
>> Subject: Re: error message after kdestroy
>>
>> "Yang Li" <sharepointlink@hotmail.com> writes:
>>
>>
>>
>>> after kdestroy command, i get the following error message on any other
>>> commands such as klist or kinit. Any idea?
>>>
>>>
>>
>>
>>> No credentials cache found while getting default ccache
>>>
>>>
>> Well... yes. kdestroy destroys the credential cache, so the other
>> commands now no longer have a credential cache to work with. That's the
>> whole point of kdestroy.
>>
>>
>>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
