David, The easiest solution to this problem is to use the ktpass which was shipped with Windows 2003, and not the one with SP1.
Alternatively, you can use one of the many tools available that replace the need for ktpass, and use computer accounts for key storage. These tools do not suffer from the same issues as ktpass. It seems that the sp1 version of ktpass stores a key with a specific kvno in the keytab file, and the kvno in the domain controller for the same principal is different. This is why you cannot use the keytab file to authenticate. Thanks, Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Telfer Sent: 22 March 2006 17:09 To: kerberos@mit.edu Subject: kinit request on keytab fails using 2K3sp1 KDC Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser [EMAIL PROTECTED] -princ HTTP/[EMAIL PROTECTED] +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/[EMAIL PROTECTED] I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly from the kdc using #./kinit [EMAIL PROTECTED] which would indicate that the problem wasn't a clock slew error (I haven't seen an error of this nature appear with this version of krb so I'm not sure whether it would explicitly state this). From reading a few mailing list posts I have discovered some people having issues with ktpass on service pack 1. One such post; http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thr ead/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72 details a similar problem I have followed the advice given, ensuring that the kvno's match and changing the system users password prior to generating the keytab but to no avail. My /etc/krb5.conf file is as follows (I've removed every non-essential entry to ensure that it isn't the issue); [libdefaults] default_realm = SMG.PLC.UK [domain_realm] connect.smg.plc.uk = SMG.PLC.UK [realms] SMG.PLC.UK = { kdc = pqdomc01.smg.plc.uk admin_server = pqdomc01.smg.plc.uk default_domain = smg.plc.uk } Has anyone experienced a similar problem to this? I have to assume there is a problem with the keytab but I'm at a loss as to what the problem could be. David Telfer [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
