Can kinit but not kvno - Kerberos

This is a discussion on Can kinit but not kvno - Kerberos ; Hi, I'm trying to set up MIT Kerberos so that we can authenticate against an Active Directory service (Windows Server 2003 I believe) and most things seem to be working, I just can't get kvno to work or keytab files ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Can kinit but not kvno

  1. Can kinit but not kvno

    Hi, I'm trying to set up MIT Kerberos so that we can authenticate
    against an Active Directory service (Windows Server 2003 I believe) and
    most things seem to be working, I just can't get kvno to work or keytab
    files (Probably because of the kvno issue)

    Here's the config:

    [libdefaults]
    default_realm = LIVAD.LIV.AC.UK

    [realms]
    LIVAD.LIV.AC.UK = {
    kdc = livad.liv.ac.uk:88
    admin_server = livad.liv.ac.uk
    }
    [domain_realm]
    .liv.ac.uk = LIVAD.LIV.AC.UK
    liv.ac.uk = LIVAD.LIV.AC.UK

    And here's the output from various commands:

    ../kinit jgilbert@LIVAD.LIV.AC.UK
    Password for jgilbert@LIVAD.LIV.AC.UK:

    ../klist
    Ticket cache: FILE:/tmp/krb5cc_48703
    Default principal: jgilbert@LIVAD.LIV.AC.UK

    Valid starting Expires Service principal
    04/17/08 12:30:22 04/17/08 22:30:26 krbtgt/LIVAD.LIV.AC.UK@LIVAD.LIV.AC.UK
    renew until 04/18/08 12:30:22


    Kerberos 4 ticket cache: /tmp/tkt48703
    klist: You have no tickets cached

    ../kvno jgilbert@LIVAD.LIV.AC.UK
    kvno: Server not found in Kerberos database while getting credentials
    for jgilbert@LIVAD.LIV.AC.UK

    So as you can see everything seems to work fine, I just can't use kvno.
    What things should I be looking at to try to fix this? Could it be a
    setting on the AD end denying such requests?

    --
    John Gilbertson

  2. Re: Can kinit but not kvno



    John Gilbertson wrote:
    > Hi, I'm trying to set up MIT Kerberos so that we can authenticate
    > against an Active Directory service (Windows Server 2003 I believe) and
    > most things seem to be working, I just can't get kvno to work or keytab
    > files (Probably because of the kvno issue)

    ....
    >
    > So as you can see everything seems to work fine, I just can't use kvno.
    > What things should I be looking at to try to fix this? Could it be a
    > setting on the AD end denying such requests?
    >



    kvno is requesting a service ticket. But user accounts in AD don't
    normally have a servicePrincipalName attribute.

    kvno should work for actual service principals like:

    kvno host/livad.liv.ac.uk

    Why do you need to use kvno with a user account?

    If you need to know the kvno for the user, you can use ldap or ADSI Edit
    and search for the user and read the msDS-KeyVersionNumber attribute.

    You might be able to add a servicePrincipalName to the user account if
    you really need to get a service ticket for the user.


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

  3. Re: Can kinit but not kvno

    Douglas E. Engert wrote:

    > kvno is requesting a service ticket. But user accounts in AD don't
    > normally have a servicePrincipalName attribute.
    >
    > kvno should work for actual service principals like:
    >
    > kvno host/livad.liv.ac.uk
    >
    > Why do you need to use kvno with a user account?
    >
    > If you need to know the kvno for the user, you can use ldap or ADSI Edit
    > and search for the user and read the msDS-KeyVersionNumber attribute.
    >
    > You might be able to add a servicePrincipalName to the user account if
    > you really need to get a service ticket for the user.


    Ah that does explain it all thankyou.

    I was just testing to make sure everything was working before bothering
    our AD team to set up a service principal for a test service. I didn't
    know if I had got the initial setup right or not.

    --
    John Gilbertson

+ Reply to Thread