Jason D. McCormick wrote:
> Douglas E. Engert wrote:
>
>> Richard Silverman asked how did you add the principals to AD?
>> If you used the same AD account for both principals, they will use the
>> same password to generate the key, and will use the same kvno.
>>
>> Thus your first problem might be the kvno is not found, in the keytab.

>
> They keys are both kvno=3 on the AD-side and in the client's keytab.
>
>> Are 55 and 59 the length of the message as seen by strace or an error code?

>
> Oh.... yeah.
>
>> I assume you ran the gss-server as root, so it could access/etc/krb5.keytab

>
> Yes. Strace shows the gss-server process being able to open the keytab
> file.
>
>> The uses of a single AD account for two principals with the same pasword
>> is a difference.

>
> Each Kerberos keytab entry has a 1:1 match with an AD user. Or are you
> pointing out I'm supposed to be doing something different?



No. Just making sure you did not fall into the trap of using the same account
for two principals.

>
> Thanks.
>
> - Jason
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444