Can kinit but not kvno

Printable View

04-17-2008, 11:38 AM
unix

Can kinit but not kvno

Hi, I'm trying to set up MIT Kerberos so that we can authenticate
against an Active Directory service (Windows Server 2003 I believe) and
most things seem to be working, I just can't get kvno to work or keytab
files (Probably because of the kvno issue)

Here's the config:

[libdefaults]
default_realm = LIVAD.LIV.AC.UK

[realms]
LIVAD.LIV.AC.UK = {
kdc = livad.liv.ac.uk:88
admin_server = livad.liv.ac.uk
}
[domain_realm]
.liv.ac.uk = LIVAD.LIV.AC.UK
liv.ac.uk = LIVAD.LIV.AC.UK

And here's the output from various commands:

../kinit [email]jgilbert@LIVAD.LIV.AC.UK[/email]
Password for [email]jgilbert@LIVAD.LIV.AC.UK[/email]:

../klist
Ticket cache: FILE:/tmp/krb5cc_48703
Default principal: [email]jgilbert@LIVAD.LIV.AC.UK[/email]

Valid starting Expires Service principal
04/17/08 12:30:22 04/17/08 22:30:26 krbtgt/LIVAD.LIV.AC.UK@LIVAD.LIV.AC.UK
renew until 04/18/08 12:30:22

Kerberos 4 ticket cache: /tmp/tkt48703
klist: You have no tickets cached

../kvno [email]jgilbert@LIVAD.LIV.AC.UK[/email]
kvno: Server not found in Kerberos database while getting credentials
for [email]jgilbert@LIVAD.LIV.AC.UK[/email]

So as you can see everything seems to work fine, I just can't use kvno.
What things should I be looking at to try to fix this? Could it be a
setting on the AD end denying such requests?

--
John Gilbertson
04-17-2008, 01:43 PM
unix

Re: Can kinit but not kvno

John Gilbertson wrote:[color=blue]
> Hi, I'm trying to set up MIT Kerberos so that we can authenticate
> against an Active Directory service (Windows Server 2003 I believe) and
> most things seem to be working, I just can't get kvno to work or keytab
> files (Probably because of the kvno issue)[/color]
....[color=blue]
>
> So as you can see everything seems to work fine, I just can't use kvno.
> What things should I be looking at to try to fix this? Could it be a
> setting on the AD end denying such requests?
>[/color]

kvno is requesting a service ticket. But user accounts in AD don't
normally have a servicePrincipalName attribute.

kvno should work for actual service principals like:

kvno host/livad.liv.ac.uk

Why do you need to use kvno with a user account?

If you need to know the kvno for the user, you can use ldap or ADSI Edit
and search for the user and read the msDS-KeyVersionNumber attribute.

You might be able to add a servicePrincipalName to the user account if
you really need to get a service ticket for the user.

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
04-17-2008, 02:57 PM
unix

Re: Can kinit but not kvno

Douglas E. Engert wrote:
[color=blue]
> kvno is requesting a service ticket. But user accounts in AD don't
> normally have a servicePrincipalName attribute.
>
> kvno should work for actual service principals like:
>
> kvno host/livad.liv.ac.uk
>
> Why do you need to use kvno with a user account?
>
> If you need to know the kvno for the user, you can use ldap or ADSI Edit
> and search for the user and read the msDS-KeyVersionNumber attribute.
>
> You might be able to add a servicePrincipalName to the user account if
> you really need to get a service ticket for the user.[/color]

Ah that does explain it all thankyou.

I was just testing to make sure everything was working before bothering
our AD team to set up a service principal for a test service. I didn't
know if I had got the initial setup right or not.

--
John Gilbertson