Write a keytab? - Kerberos

This is a discussion on Write a keytab? - Kerberos ; I'm pulling my hair out over this. Is there any kerberos utility that will write a valid k5 keytab given either a password or a key, enctype and principal? Neither heimdal's ktutil add or MIT's ktutil addent seem to write ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Write a keytab?

  1. Write a keytab?


    I'm pulling my hair out over this. Is there any kerberos utility
    that will write a valid k5 keytab given either a password or
    a key, enctype and principal?

    Neither heimdal's ktutil add or MIT's ktutil addent seem to
    write valid keytab files. If you use the list option you
    seem to get valid results, but attempting to use the keytab
    to either kinit or use Hiemdal's ktutil change options results
    in errors that look like parsing ones.

    Ktutil and kinit from Heimdal claim they can't find the host
    entry in the keytab and MIT's kinit claims that it can't contact
    the KDC listed for the principal.

    Alternatively, is there a documented format for the keytab file
    anywere? Other than the source code in kt_file.c ?

    _ Booker C. Bense
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Write a keytab?


    On Apr 10, 2006, at 3:38 PM, Booker C. Bense wrote:

    >
    > I'm pulling my hair out over this. Is there any kerberos utility
    > that will write a valid k5 keytab given either a password or
    > a key, enctype and principal?
    >
    > Neither heimdal's ktutil add or MIT's ktutil addent seem to
    > write valid keytab files. If you use the list option you
    > seem to get valid results, but attempting to use the keytab
    > to either kinit or use Hiemdal's ktutil change options results
    > in errors that look like parsing ones.
    >
    > Ktutil and kinit from Heimdal claim they can't find the host
    > entry in the keytab and MIT's kinit claims that it can't contact
    > the KDC listed for the principal.
    >
    > Alternatively, is there a documented format for the keytab file
    > anywere? Other than the source code in kt_file.c ?



    For the curious and the archives, I solved the problem by using
    a different enctype. I'm not sure why this fixed the problem, but
    it did.

    _ Booker C. Bense
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Write a keytab?

    "Booker C Bense" writes:
    > On Apr 10, 2006, at 3:38 PM, Booker C. Bense wrote:


    >> I'm pulling my hair out over this. Is there any kerberos utility
    >> that will write a valid k5 keytab given either a password or
    >> a key, enctype and principal?


    >> Neither heimdal's ktutil add or MIT's ktutil addent seem to
    >> write valid keytab files. If you use the list option you
    >> seem to get valid results, but attempting to use the keytab
    >> to either kinit or use Hiemdal's ktutil change options results
    >> in errors that look like parsing ones.


    >> Ktutil and kinit from Heimdal claim they can't find the host
    >> entry in the keytab and MIT's kinit claims that it can't contact
    >> the KDC listed for the principal.


    >> Alternatively, is there a documented format for the keytab file
    >> anywere? Other than the source code in kt_file.c ?


    > For the curious and the archives, I solved the problem by using
    > a different enctype. I'm not sure why this fixed the problem, but
    > it did.


    This is a pure shot in the dark, but I've discovered that Heimdal can
    apparently read keytabs with des-cbc-crc keys in them but cannot actually
    use them for any operation that involves iterating through the keytab (as
    opposed to matching an existing known key with something in the keytab,
    which is what's done for verification of remote authenticators) unless you
    explicitly list des-cbc-crc in default_etypes.

    I don't have any good explanation for this behavior, and I'm not sure what
    versions of Heimdal it applies to, but I ran into it with a 0.7 release.

    --
    Russ Allbery (rra@stanford.edu)

  4. Re: Write a keytab?


    On Apr 10, 2006, at 8:40 PM, Russ Allbery wrote:
    >
    > This is a pure shot in the dark, but I've discovered that Heimdal can
    > apparently read keytabs with des-cbc-crc keys in them but cannot
    > actually
    > use them for any operation that involves iterating through the
    > keytab (as
    > opposed to matching an existing known key with something in the
    > keytab,
    > which is what's done for verification of remote authenticators)
    > unless you
    > explicitly list des-cbc-crc in default_etypes.
    >
    > I don't have any good explanation for this behavior, and I'm not
    > sure what
    > versions of Heimdal it applies to, but I ran into it with a 0.7
    > release.
    >


    Well, I was using des-cbc-md5, but I suspect the same applies. Once I
    switched to the hoopiest enctype, everything worked. Isn't des-cbc-crc
    deprecated? It's not supported in the version we use.

    _ Booker C. Bense
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Write a keytab?

    "Booker C Bense" writes:

    > Well, I was using des-cbc-md5, but I suspect the same applies. Once I
    > switched to the hoopiest enctype, everything worked. Isn't des-cbc-crc
    > deprecated? It's not supported in the version we use.


    Well, it's deprecated in the sense that people should stop using DES, but
    you can't get rid of it completely because it's the only thing that AFS
    supports.

    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread