On 1/25/2011 3:01 PM, Jeff draht wrote: > Doug, > this is the issue I am having after creating a users keytab > file; > > ktutil: addent -password -p [email protected] -k 7 -e arcfour- > hmac-md5 > Password for [email protected]: > ktutil: list > slot KVNO Principal > ---- ---- > --------------------------------------------------------------------- > 1 7 [email protected] > > ktutil: wkt /var/tmp/xf1adm-keytab-new-012511 > ktutil: q > > root@yeoman:/usr/local/bin>klist -ke /var/tmp/xf1adm-keytab-new-012511 > ---- > -------------------------------------------------------------------------- > 7 [email protected] (ArcFour with HMAC/md5) > > Then; > > kinit –k –t /var/tmp/xf1adm-keytab-new-012511 [email protected] > > However, this function does not work; it errors; > > kinit -k -t /var/tmp/xf1adm-keytab-new-012511 [email protected] > kinit(v5): Key table entry not found while getting initial credentials
I ran into a problem like this in 2009, on Solaris 10 client to AD 2008 involving AES256. I think what might be going on is the kinit sends the AS-REQ message to the KDC with a list of supported enctypes. The KDC then picks the best enctype supported for that principal and returns the ticket. If the client send AES, and the KDC supports it, then an AES key will be needed. The problem is the kinit does not look to see what encytes are available in the keytab. When using a password, kinit can generate a key for any enctype from the password so this is not an issue. The way to see if this is the case is to use Wireshark or other network trace program on the client. You should see the KRB5 packets and can see the AS-REQ being sent and the enctypes that are supported. The AS-REP from the KDC will contain a ticket which is encrypted for the use by the client principal. I bet it says it is looking for something other the ArcFour, or the kvno does not match. Ways around this: Look at the msDS-SupportedEncryptionTypes attribute on the xf1adm AD account. (Look at the msDS-KeyVersionNumber too.) See: http://msdn.microsoft.com/en-us/library/cc223853(v=prot.13).aspx This could be changed in AD for the client to only support ArcFour. Or the keytab entry could have AES256. But if you are using the SAP client later, make sure SAP can support AES256 too, as it will need to use the krbtgt ticket to get more tickets. > > Thanks and I will start using the link you suggested for my > questions... > > Jeff > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
