Hello,

I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to
configuring mod_auth_kerb. I have used the following command to
generate a keytab on the KDC;
ktpass -mapuser intsvcuser@smg.plc.uk -princ
HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype
KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab"

The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have
transfered the keytab to /etc/krb5.keytab. When I run ;
#/usr/local/bin/kinit -k -t /etc/krb5.keytab
HTTP/connect.smg.plc.uk@SMG.PLC.UK

I get the following error;
kinit(v5): Preauthentication failed while getting initial credentials

I am able to obtain a ticket directly from the kdc using #./kinit
DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a
clock slew error (I haven't seen an error of this nature appear with
this version of krb so I'm not sure whether it would explicitly state this).

From reading a few mailing list posts I have discovered some people
having issues with ktpass on service pack 1. One such post;
http://groups.google.com/group/comp....a9428688c66d72
details a similar problem I have followed the advice given, ensuring
that the kvno's match and changing the system users password prior to
generating the keytab but to no avail.

My /etc/krb5.conf file is as follows (I've removed every non-essential
entry to ensure that it isn't the issue);

[libdefaults]
default_realm = SMG.PLC.UK
[domain_realm]
connect.smg.plc.uk = SMG.PLC.UK
[realms]
SMG.PLC.UK = {
kdc = pqdomc01.smg.plc.uk
admin_server = pqdomc01.smg.plc.uk
default_domain = smg.plc.uk
}

Has anyone experienced a similar problem to this? I have to assume
there is a problem with the keytab but I'm at a loss as to what the
problem could be.

David Telfer
david@2fluid.co.uk




________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos