This is a discussion on Re: GSSAPI on Linux using Windows AD Servers as KDCs - Errors aboutKeytab Entries - Kerberos ; Jason D. McCormick wrote: > Douglas E. Engert wrote: > >> Richard Silverman asked how did you add the principals to AD? >> If you used the same AD account for both principals, they will use the >> same password ...
Jason D. McCormick wrote:
> Douglas E. Engert wrote:
>> Richard Silverman asked how did you add the principals to AD?
>> If you used the same AD account for both principals, they will use the
>> same password to generate the key, and will use the same kvno.
>> Thus your first problem might be the kvno is not found, in the keytab.
> They keys are both kvno=3 on the AD-side and in the client's keytab.
>> Are 55 and 59 the length of the message as seen by strace or an error code?
> Oh.... yeah.
>> I assume you ran the gss-server as root, so it could access/etc/krb5.keytab
> Yes. Strace shows the gss-server process being able to open the keytab
>> The uses of a single AD account for two principals with the same pasword
>> is a difference.
> Each Kerberos keytab entry has a 1:1 match with an AD user. Or are you
> pointing out I'm supposed to be doing something different?
No. Just making sure you did not fall into the trap of using the same account
for two principals.
> - Jason
Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439