(Reposted from [EMAIL PROTECTED])
I've got a problem with keytabs related to an upgrade from W2K to W2K3 when authenticating from a unix client w/ mit krb5.
Principal: host/[EMAIL PROTECTED] Password: (example) fred
A) W2K DC create princ via ssl-ldap on w2k domain controller, set pw to fred
kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
ktutil, create keytab with that password, des-cbc-crc, kvno 1
ktutil, create keytab with that password, des-cbc-crc, kvno 3 (in our environment, it always winds up with kvno 3 on the w2k3 dc cause we delete princ first)
kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => works fine
B) W2K3 DC create princ via ssl-ldap on w2k3 domain controller, set pw to fred
kinit host/afsimap1.cc.umr.edu (against w2k dc), give password => works fine kinit host/afsimap1.cc.umr.edu (against w2k3 dc), give password => works fine
ktutil, create keytab with that password, des-cbc-crc, kvno 1 and 3
kinit -k -t ... host/afsimap1.cc.umr.edu (against either dc) => preauth fails
when attempting to use the keytab - i.e. via telnetd or sshd w/ simon's patches - I get decrypt integ check failed errors (or ssh protocol error w/ pkt 34)
The _ONLY_ change that I am making between functional and non-functional is which LDAPS server I point at for creating the princ and setting the password for it.
I have the client-etypes hotfix applied, but not sure it's relevant to this problem since I _am_ able to authenticate, just not with a keytab.
-- Nathan
------------------------------------------------------------ Nathan Neulinger EMail: [EMAIL PROTECTED] University of Missouri - Rolla Phone: (573) 341-6679 UMR Information Technology Fax: (573) 341-4216 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Nathan,
did you solve your issue ? I have seen now similar problems, where everything works fine with a 2000 kdc (I use an old MIT 1.2.4 release) but with a 2003 kdc I get decrypt integrety errors.
Thanks Markus
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos