[32384] in Kerberos
Loading host service principal from /etc/krb5.keytab?
daemon@ATHENA.MIT.EDU (Lars Kellogg-Stedman)
Mon May 24 22:04:42 2010
MIME-Version: 1.0
Date: Mon, 24 May 2010 22:04:33 -0400
Message-ID: <AANLkTili-s7ob_-cb7MCUww61Y1LreOp8-J_6Ag0F5WL@mail.gmail.com>
From: Lars Kellogg-Stedman <lars@oddbit.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello all,
Should it be possible to load the host service principal from
/etc/krb5.keytab for the purpose of authenticating against an Active
Directory server? That is, should I expect this to work?
kinit -k host/buildmaster.example.com@EXAMPLE.COM
I invariably receive the following error message:
kinit(v5): Client not found in Kerberos database while getting
initial credentials
Everything else seems to be working fine (I can kinit as a user, and
those credentials are accepted for access to the server). The
specified principal is listed by 'klist -k':
KVNO Principal
---- --------------------------------------------------------------------------
2 host/buildmaster.example.com@EXAMPLE.COM
2 host/buildmaster.example.com@EXAMPLE.COM
2 host/buildmaster.example.com@EXAMPLE.COM
2 host/buildmaster@EXAMPLE.COM
2 host/buildmaster@EXAMPLE.COM
2 host/buildmaster@EXAMPLE.COM
2 BUILDMASTER$@EXAMPLE.COM
2 BUILDMASTER$@EXAMPLE.COM
2 BUILDMASTER$@EXAMPLE.COM
The error message suggests to me some sort of hostname mismatch
somewhere, but DNS (forward and reverse), the system hostname, and the
servicePrincipalNames in AD are all consistent.
The goal here is to be able to bind to an AD server using the stored
host principal (rather than using shared credentials in
/etc/ldap.conf, which seems to be the most common alternative to
anonymous binds).
Thanks for your help!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
