[35925] in Kerberos
Re: Client keytab ignored
daemon@ATHENA.MIT.EDU (Michael-O)
Wed Mar 26 18:54:50 2014
Message-ID: <533359CC.2020400@gmx.net>
Date: Wed, 26 Mar 2014 23:50:52 +0100
From: Michael-O <1983-01-06@gmx.net>
MIME-Version: 1.0
To: steve@steve-ss.com
In-Reply-To: <1395855572.3968.2.camel@hh16.hh3.site>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On Wed, 2014-03-26 at 17:34 +0100, Michael-O wrote:
>> Hi,
>>
>> I am trying to obtain a service ticket with a client keytab for my account.
>> Unfortunately it fails. I wanted to narrow this down and tried to peform the
>> very same operation with
>> $ kinit -k -t my.keytab
>> and it says kinit: Keytab contains no suitable keys for host/fqdn@REALM while
>> getting initial credentials.
>>
>> The question is, why does it completely ignore my keytab and tries the
>> default one in /etc?
>
>
> It isn't, is it? Does your keytab have the host key? It is not only you
> who must authenticate, but also the machine upon which you are working.
Hi Steve,
you're right, it does *not* use the default keytab but it uses the
default machine principal. The extra keytab I am using is a functional
account in our Active Directory, it is not a machine account, nor a
human one.
The machine has already joined the domain, why does it need to
reauthenticate?
Thanks,
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
