[33356] in Kerberos
Re: kerberos and Windows 2008R2 - kinit: Key table entry not found
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Mark_Pr=F6hl?=)
Fri Apr 29 09:34:41 2011
Message-ID: <4DBABE55.1020005@mproehl.net>
Date: Fri, 29 Apr 2011 15:34:13 +0200
From: =?ISO-8859-1?Q?Mark_Pr=F6hl?= <mark@mproehl.net>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <CDED04E03A9F5348A6B3209F75AC9C6C0401AE2EA8@EXCHANGE1.global.knight.com>
Reply-To: mark@mproehl.net
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
DES is disabled by default in windows 2008 r2. So if you do not need
DES, then just create the keytab for stronger enryption types. If you
really need DES, you have to configure your windows KDC to issue DES
tickets. You should not disable preauthentication
Regards,
Mark Pröhl
On 04/28/2011 11:08 PM, Gomes, Charles wrote:
> Hello Kerberos List,
>
> I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 server.
> I've created a user on windows and used the ktpass to generate the Kerberos keytab:
> C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype KRB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab
>
> I did make sure that "User Kerberos DES encryption types for this account" was checked.
> First I was getting:
> root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
> kinit: KDC has no support for encryption type while getting initial credentials
>
> So I've checked "Do not require Kerberos preauthentication" and I get:
> root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_0 host/jc1lqaldap.testdomain.com
> kinit: Key table entry not found while getting initial credentials
>
> Where should that key table entry be located ?
> I cannot go forward with this. Is there a way to get more verbose logging so I can troubleshoot this.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Klist
> root@jc1lqaldap:/etc# klist -ke -t /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 12 12/31/69 19:00:00 host/jc1lqaldap.testdomain.com@TESTDOMAIN.COM (DES cbc mode with RSA-MD5)
>
>
>
>
>
> Cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TESTDOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
> default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
>
> [realms]
> TESTDOMAIN.COM = {
> kdc = server.testdomain.com:88
> admin_server = server.testdomain.com:749
> default_domain = testdomain.com
> }
>
> [domain_realm]
> .testdomain.com = TESTDOMAIN.COM
> testdomain.com = TESTDOMAIN.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> validate = true
> }
>
>
>
>
>
> DISCLAIMER:
> This e-mail, and any attachments thereto, is intended only for use by the addressee(s)named herein and
> may contain legally privileged and/or confidential information. If you are not the intended recipient of this
> e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachments
> thereto, is strictly prohibited. If you have received this in error, please immediately notify me and permanently
> delete the original and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free.
> The sender therefore does not accept liability for any errors or omissions in the contents of this message which
> arise as a result of e-mail transmission.
> NOTICE REGARDING PRIVACY AND CONFIDENTIALITY
> Knight Capital Group may, at its discretion, monitor and review the content of all e-mail communications.
>
> http://www.knight.com<http://www.knight.com/>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
