[35926] in Kerberos
Re: Client keytab ignored
daemon@ATHENA.MIT.EDU (steve)
Wed Mar 26 19:35:34 2014
Message-ID: <1395876910.11355.10.camel@hh16.hh3.site>
From: steve <steve@steve-ss.com>
To: Michael-O <1983-01-06@gmx.net>
Date: Thu, 27 Mar 2014 00:35:10 +0100
In-Reply-To: <533359CC.2020400@gmx.net>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 2014-03-26 at 23:50 +0100, Michael-O wrote:
> > On Wed, 2014-03-26 at 17:34 +0100, Michael-O wrote:
> >> Hi,
> >>
> >> I am trying to obtain a service ticket with a client keytab for my account.
> >> Unfortunately it fails. I wanted to narrow this down and tried to peform the
> >> very same operation with
> >> $ kinit -k -t my.keytab
> >> and it says kinit: Keytab contains no suitable keys for host/fqdn@REALM while
> >> getting initial credentials.
> >>
> >> The question is, why does it completely ignore my keytab and tries the
> >> default one in /etc?
> >
> >
> > It isn't, is it? Does your keytab have the host key? It is not only you
> > who must authenticate, but also the machine upon which you are working.
>
> Hi Steve,
>
> you're right, it does *not* use the default keytab but it uses the
> default machine principal. The extra keytab I am using is a functional
> account in our Active Directory, it is not a machine account, nor a
> human one.
>
> The machine has already joined the domain, why does it need to
> reauthenticate?
>
> Thanks,
>
> Michael
Hi
Tickets have a lifetime. In our domain it's 10 hours. The host or
machine$ key is used to authenticate your computer. You normally get
your own tgt by entering a password or, as I think you may wish to do,
by having your key in a keytab so eliminating the need for a password.
So long as both you and your machine are known to AD, you're free to go.
What does your 'functional account' do? Is there any reason you can't
have all your keys in one keytab? Preferably the default keytab?
Cheers,
Steve
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
