Need help with ms2mit.exe

Printable View

10-02-2007, 02:02 PM
unix

Need help with ms2mit.exe

Hello,

I have installed kfw-3.0 on my XP workstation It authenticates against
the KDC with no problems. Klist shows the ticket in the MSLSA cache.

On my workstation, I also have cygwin installed with krb5 and kerberos
enabled ssh. Once I run kinit, my ssh works fine.

I am now trying to get the Windows tickets to be dumped to the krb5
file cache using ms2mit so that I do not need to enter my password a
second time. When I run ms2mit from the command line I get the prompt
back with no errors but the krb5 cache is not populated. Any ideas
where I went wrong?

Thanks
Pat
10-02-2007, 02:02 PM
unix

Re: Need help with ms2mit.exe

Cygwin can only use file based ccaches. You need to store the TGT
into a file ccache.

ms2mit.exe -c FILE:<pathname>

Then you have to specify the default ccache name in your cygwin
environment.

Jeffrey Altman

Pat Connolly wrote:[color=blue]
> Hello,
>
> I have installed kfw-3.0 on my XP workstation It authenticates against
> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
>
> On my workstation, I also have cygwin installed with krb5 and kerberos
> enabled ssh. Once I run kinit, my ssh works fine.
>
> I am now trying to get the Windows tickets to be dumped to the krb5
> file cache using ms2mit so that I do not need to enter my password a
> second time. When I run ms2mit from the command line I get the prompt
> back with no errors but the krb5 cache is not populated. Any ideas
> where I went wrong?
>
> Thanks
> Pat[/color]
10-02-2007, 02:03 PM
unix

Re: Need help with ms2mit.exe

Jeff, Thanks, That worked. When I had tried the -c option I did not put
the FILE: in front of the path.

I am now running into an other problem. If I open a cygwin xterm window
and run kinit, I get the ticket. I am then able to ssh to any of the
servers with out being asked for a password. But when I run ms2mit and
then try to ssh, I am asked for a password. If I run klist I see a
valid ticket. It looks the same as the ticket I get after running
kinit. In the kdc.log on the kdc server, I get an error stating:
"<unknown client> for host/FQDN@REALM, No mathcing key in entry" The
other think that I have noticed when I do a klist is that after I do a
kinit and then ssh, the server I went to is in my ticket cache. But
after I run ms2mit and then ssh, the server is not added.

Thanks
Pat

Jeffrey Altman wrote:[color=blue]
> Cygwin can only use file based ccaches. You need to store the TGT
> into a file ccache.
>
> ms2mit.exe -c FILE:<pathname>
>
> Then you have to specify the default ccache name in your cygwin
> environment.
>
> Jeffrey Altman
>
>
> Pat Connolly wrote:[color=green]
> > Hello,
> >
> > I have installed kfw-3.0 on my XP workstation It authenticates against
> > the KDC with no problems. Klist shows the ticket in the MSLSA cache.
> >
> > On my workstation, I also have cygwin installed with krb5 and kerberos
> > enabled ssh. Once I run kinit, my ssh works fine.
> >
> > I am now trying to get the Windows tickets to be dumped to the krb5
> > file cache using ms2mit so that I do not need to enter my password a
> > second time. When I run ms2mit from the command line I get the prompt
> > back with no errors but the krb5 cache is not populated. Any ideas
> > where I went wrong?
> >
> > Thanks
> > Pat[/color][/color]
10-02-2007, 02:03 PM
unix

Re: Need help with ms2mit.exe

"klist -e"

I bet the Kerberos implementation you are using in cygwin does not have
support for the enctypes used by Microsoft. RC4-HMAC

Jeffrey Altman

Pat Connolly wrote:[color=blue]
> Jeff, Thanks, That worked. When I had tried the -c option I did not put
> the FILE: in front of the path.
>
> I am now running into an other problem. If I open a cygwin xterm window
> and run kinit, I get the ticket. I am then able to ssh to any of the
> servers with out being asked for a password. But when I run ms2mit and
> then try to ssh, I am asked for a password. If I run klist I see a
> valid ticket. It looks the same as the ticket I get after running
> kinit. In the kdc.log on the kdc server, I get an error stating:
> "<unknown client> for host/FQDN@REALM, No mathcing key in entry" The
> other think that I have noticed when I do a klist is that after I do a
> kinit and then ssh, the server I went to is in my ticket cache. But
> after I run ms2mit and then ssh, the server is not added.
>
> Thanks
> Pat
>
>
> Jeffrey Altman wrote:[color=green]
>> Cygwin can only use file based ccaches. You need to store the TGT
>> into a file ccache.
>>
>> ms2mit.exe -c FILE:<pathname>
>>
>> Then you have to specify the default ccache name in your cygwin
>> environment.
>>
>> Jeffrey Altman
>>
>>
>> Pat Connolly wrote:[color=darkred]
>>> Hello,
>>>
>>> I have installed kfw-3.0 on my XP workstation It authenticates against
>>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
>>>
>>> On my workstation, I also have cygwin installed with krb5 and kerberos
>>> enabled ssh. Once I run kinit, my ssh works fine.
>>>
>>> I am now trying to get the Windows tickets to be dumped to the krb5
>>> file cache using ms2mit so that I do not need to enter my password a
>>> second time. When I run ms2mit from the command line I get the prompt
>>> back with no errors but the krb5 cache is not populated. Any ideas
>>> where I went wrong?
>>>
>>> Thanks
>>> Pat[/color][/color]
>[/color]
10-02-2007, 02:03 PM
unix

Re: Need help with ms2mit.exe

Jeff,

klist -e on windows has "ArcFour with HMAC/md5"
klist -e in cygwin has "AES-128 CTS mode with 96-bit SHA-1 HMAC"

I have kerberos 1.3.3 installed. I got the cygwin package from
[url]http://www-clued0.fnal.gov/~axel/files/[/url]. What is the easiest way to fix
this?

Thanks
Pat

Jeffrey Altman wrote:[color=blue]
> "klist -e"
>
> I bet the Kerberos implementation you are using in cygwin does not have
> support for the enctypes used by Microsoft. RC4-HMAC
>
> Jeffrey Altman
>
>
> Pat Connolly wrote:[color=green]
> > Jeff, Thanks, That worked. When I had tried the -c option I did not put
> > the FILE: in front of the path.
> >
> > I am now running into an other problem. If I open a cygwin xterm window
> > and run kinit, I get the ticket. I am then able to ssh to any of the
> > servers with out being asked for a password. But when I run ms2mit and
> > then try to ssh, I am asked for a password. If I run klist I see a
> > valid ticket. It looks the same as the ticket I get after running
> > kinit. In the kdc.log on the kdc server, I get an error stating:
> > "<unknown client> for host/FQDN@REALM, No mathcing key in entry" The
> > other think that I have noticed when I do a klist is that after I do a
> > kinit and then ssh, the server I went to is in my ticket cache. But
> > after I run ms2mit and then ssh, the server is not added.
> >
> > Thanks
> > Pat
> >
> >
> > Jeffrey Altman wrote:[color=darkred]
> >> Cygwin can only use file based ccaches. You need to store the TGT
> >> into a file ccache.
> >>
> >> ms2mit.exe -c FILE:<pathname>
> >>
> >> Then you have to specify the default ccache name in your cygwin
> >> environment.
> >>
> >> Jeffrey Altman
> >>
> >>
> >> Pat Connolly wrote:
> >>> Hello,
> >>>
> >>> I have installed kfw-3.0 on my XP workstation It authenticates against
> >>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
> >>>
> >>> On my workstation, I also have cygwin installed with krb5 and kerberos
> >>> enabled ssh. Once I run kinit, my ssh works fine.
> >>>
> >>> I am now trying to get the Windows tickets to be dumped to the krb5
> >>> file cache using ms2mit so that I do not need to enter my password a
> >>> second time. When I run ms2mit from the command line I get the prompt
> >>> back with no errors but the krb5 cache is not populated. Any ideas
> >>> where I went wrong?
> >>>
> >>> Thanks
> >>> Pat[/color]
> >[/color][/color]
10-02-2007, 02:03 PM
unix

Re: Need help with ms2mit.exe

What does klist in cygwin show after you ms2mit? That is the important
question. If you are not seeing the TGT, then you are not placing the
ticket into the correct file.

Jeffrey Altman

Pat Connolly wrote:[color=blue]
> Jeff,
>
> klist -e on windows has "ArcFour with HMAC/md5"
> klist -e in cygwin has "AES-128 CTS mode with 96-bit SHA-1 HMAC"
>
> I have kerberos 1.3.3 installed. I got the cygwin package from
> [url]http://www-clued0.fnal.gov/~axel/files/[/url]. What is the easiest way to fix
> this?
>
> Thanks
> Pat
>
>
> Jeffrey Altman wrote:[color=green]
>> "klist -e"
>>
>> I bet the Kerberos implementation you are using in cygwin does not have
>> support for the enctypes used by Microsoft. RC4-HMAC
>>
>> Jeffrey Altman
>>
>>
>> Pat Connolly wrote:[color=darkred]
>>> Jeff, Thanks, That worked. When I had tried the -c option I did not put
>>> the FILE: in front of the path.
>>>
>>> I am now running into an other problem. If I open a cygwin xterm window
>>> and run kinit, I get the ticket. I am then able to ssh to any of the
>>> servers with out being asked for a password. But when I run ms2mit and
>>> then try to ssh, I am asked for a password. If I run klist I see a
>>> valid ticket. It looks the same as the ticket I get after running
>>> kinit. In the kdc.log on the kdc server, I get an error stating:
>>> "<unknown client> for host/FQDN@REALM, No mathcing key in entry" The
>>> other think that I have noticed when I do a klist is that after I do a
>>> kinit and then ssh, the server I went to is in my ticket cache. But
>>> after I run ms2mit and then ssh, the server is not added.
>>>
>>> Thanks
>>> Pat
>>>
>>>
>>> Jeffrey Altman wrote:
>>>> Cygwin can only use file based ccaches. You need to store the TGT
>>>> into a file ccache.
>>>>
>>>> ms2mit.exe -c FILE:<pathname>
>>>>
>>>> Then you have to specify the default ccache name in your cygwin
>>>> environment.
>>>>
>>>> Jeffrey Altman
>>>>
>>>>
>>>> Pat Connolly wrote:
>>>>> Hello,
>>>>>
>>>>> I have installed kfw-3.0 on my XP workstation It authenticates against
>>>>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
>>>>>
>>>>> On my workstation, I also have cygwin installed with krb5 and kerberos
>>>>> enabled ssh. Once I run kinit, my ssh works fine.
>>>>>
>>>>> I am now trying to get the Windows tickets to be dumped to the krb5
>>>>> file cache using ms2mit so that I do not need to enter my password a
>>>>> second time. When I run ms2mit from the command line I get the prompt
>>>>> back with no errors but the krb5 cache is not populated. Any ideas
>>>>> where I went wrong?
>>>>>
>>>>> Thanks
>>>>> Pat[/color][/color]
>[/color]
10-02-2007, 02:03 PM
unix

Re: Need help with ms2mit.exe

Jeff,

The AES-128 encrytpion in cygwin is before I do the ms2mit. Once I run
the ms2mit the outputs from the two klists Show the ArcFour encyption.

Thanks,
Pat

Jeffrey Altman wrote:[color=blue]
> What does klist in cygwin show after you ms2mit? That is the important
> question. If you are not seeing the TGT, then you are not placing the
> ticket into the correct file.
>
> Jeffrey Altman
>
>
> Pat Connolly wrote:[color=green]
> > Jeff,
> >
> > klist -e on windows has "ArcFour with HMAC/md5"
> > klist -e in cygwin has "AES-128 CTS mode with 96-bit SHA-1 HMAC"
> >
> > I have kerberos 1.3.3 installed. I got the cygwin package from
> > [url]http://www-clued0.fnal.gov/~axel/files/[/url]. What is the easiest way to fix
> > this?
> >
> > Thanks
> > Pat
> >
> >
> > Jeffrey Altman wrote:[color=darkred]
> >> "klist -e"
> >>
> >> I bet the Kerberos implementation you are using in cygwin does not have
> >> support for the enctypes used by Microsoft. RC4-HMAC
> >>
> >> Jeffrey Altman
> >>
> >>
> >> Pat Connolly wrote:
> >>> Jeff, Thanks, That worked. When I had tried the -c option I did not put
> >>> the FILE: in front of the path.
> >>>
> >>> I am now running into an other problem. If I open a cygwin xterm window
> >>> and run kinit, I get the ticket. I am then able to ssh to any of the
> >>> servers with out being asked for a password. But when I run ms2mit and
> >>> then try to ssh, I am asked for a password. If I run klist I see a
> >>> valid ticket. It looks the same as the ticket I get after running
> >>> kinit. In the kdc.log on the kdc server, I get an error stating:
> >>> "<unknown client> for host/FQDN@REALM, No mathcing key in entry" The
> >>> other think that I have noticed when I do a klist is that after I do a
> >>> kinit and then ssh, the server I went to is in my ticket cache. But
> >>> after I run ms2mit and then ssh, the server is not added.
> >>>
> >>> Thanks
> >>> Pat
> >>>
> >>>
> >>> Jeffrey Altman wrote:
> >>>> Cygwin can only use file based ccaches. You need to store the TGT
> >>>> into a file ccache.
> >>>>
> >>>> ms2mit.exe -c FILE:<pathname>
> >>>>
> >>>> Then you have to specify the default ccache name in your cygwin
> >>>> environment.
> >>>>
> >>>> Jeffrey Altman
> >>>>
> >>>>
> >>>> Pat Connolly wrote:
> >>>>> Hello,
> >>>>>
> >>>>> I have installed kfw-3.0 on my XP workstation It authenticates against
> >>>>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
> >>>>>
> >>>>> On my workstation, I also have cygwin installed with krb5 and kerberos
> >>>>> enabled ssh. Once I run kinit, my ssh works fine.
> >>>>>
> >>>>> I am now trying to get the Windows tickets to be dumped to the krb5
> >>>>> file cache using ms2mit so that I do not need to enter my password a
> >>>>> second time. When I run ms2mit from the command line I get the prompt
> >>>>> back with no errors but the krb5 cache is not populated. Any ideas
> >>>>> where I went wrong?
> >>>>>
> >>>>> Thanks
> >>>>> Pat[/color]
> >[/color][/color]
10-02-2007, 02:03 PM
unix

Re: Need help with ms2mit.exe

Then my only guess is that the Kerberos libraries you are using
within cygwin were compiled without support for RC4-HMAC.

If you use the native Windows kvno.exe tool can you obtain a
service ticket for the ssh host? If so, does that work with
the ssh client?

Pat Connolly wrote:[color=blue]
> Jeff,
>
> The AES-128 encrytpion in cygwin is before I do the ms2mit. Once I run
> the ms2mit the outputs from the two klists Show the ArcFour encyption.
>
> Thanks,
> Pat[/color]