Re: Problem with auth via keytab w/ w2k3 KDC, works fine with w2k DC

Thu, 21 Oct 2004 16:54:50 -0700

Nathan Neulinger wrote: 
(Reposted from [EMAIL PROTECTED])

I've got a problem with keytabs related to an upgrade from W2K to W2K3 when 
authenticating
from a unix client w/ mit krb5.

Principal: host/[EMAIL PROTECTED]
Password: (example)  fred

A) W2K DC
   create princ via ssl-ldap on w2k domain controller, set pw to fred

   kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
   kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine

ktutil, create keytab with that password, des-cbc-crc, kvno 1
ktutil, create keytab with that password, des-cbc-crc, kvno 3 (in our environment, it always winds up with kvno 3 on the w2k3 dc cause we delete princ first)

   kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => works fine

B) W2K3 DC
   create princ via ssl-ldap on w2k3 domain controller, set pw to fred

   kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine
   kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine

   ktutil, create keytab with that password, des-cbc-crc, kvno 1 and 3

   kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => preauth fails

when attempting to use the keytab - i.e. via telnetd or sshd w/ simon's patches - I get decrypt integ check failed errors (or ssh protocol error w/ pkt 34)


The _ONLY_ change that I am making between functional and non-functional is which 
LDAPS server
I point at for creating the princ and setting the password for it.

I have the client-etypes hotfix applied, but not sure it's relevant to this problem 
since I _am_ able
to authenticate, just not with a keytab.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  [EMAIL PROTECTED]
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Nathan,

did you solve your issue ? I have seen now similar problems, where everything works fine with a 2000 kdc (I use an old MIT 1.2.4 release) but with a 2003 kdc I get decrypt integrety errors.

Thanks
Markus

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to