I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to
configuring mod_auth_kerb. I have used the following command to
generate a keytab on the KDC;
ktpass -mapuser intsvcuser@smg.plc.uk -princ
HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have
transfered the keytab to /etc/krb5.keytab. When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit
DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a
clock slew error (I haven't seen an error of this nature appear with
this version of krb so I'm not sure whether it would explicitly state this).

From reading a few mailing list posts I have discovered some people
having issues with ktpass on service pack 1. One such post;
details a similar problem I have followed the advice given, ensuring
that the kvno's match and changing the system users password prior to
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential
entry to ensure that it isn't the issue);

default_realm = SMG.PLC.UK
connect.smg.plc.uk = SMG.PLC.UK
kdc = pqdomc01.smg.plc.uk
admin_server = pqdomc01.smg.plc.uk
default_domain = smg.plc.uk

Has anyone experienced a similar problem to this? I have to assume
there is a problem with the keytab but I'm at a loss as to what the
problem could be.

David Telfer

Kerberos mailing list Kerberos@mit.edu