Need help with ms2mit.exe - Kerberos

This is a discussion on Need help with ms2mit.exe - Kerberos ; Hello, I have installed kfw-3.0 on my XP workstation It authenticates against the KDC with no problems. Klist shows the ticket in the MSLSA cache. On my workstation, I also have cygwin installed with krb5 and kerberos enabled ssh. Once ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Need help with ms2mit.exe

  1. Need help with ms2mit.exe

    Hello,

    I have installed kfw-3.0 on my XP workstation It authenticates against
    the KDC with no problems. Klist shows the ticket in the MSLSA cache.

    On my workstation, I also have cygwin installed with krb5 and kerberos
    enabled ssh. Once I run kinit, my ssh works fine.

    I am now trying to get the Windows tickets to be dumped to the krb5
    file cache using ms2mit so that I do not need to enter my password a
    second time. When I run ms2mit from the command line I get the prompt
    back with no errors but the krb5 cache is not populated. Any ideas
    where I went wrong?

    Thanks
    Pat


  2. Re: Need help with ms2mit.exe

    Cygwin can only use file based ccaches. You need to store the TGT
    into a file ccache.

    ms2mit.exe -c FILE:

    Then you have to specify the default ccache name in your cygwin
    environment.

    Jeffrey Altman


    Pat Connolly wrote:
    > Hello,
    >
    > I have installed kfw-3.0 on my XP workstation It authenticates against
    > the KDC with no problems. Klist shows the ticket in the MSLSA cache.
    >
    > On my workstation, I also have cygwin installed with krb5 and kerberos
    > enabled ssh. Once I run kinit, my ssh works fine.
    >
    > I am now trying to get the Windows tickets to be dumped to the krb5
    > file cache using ms2mit so that I do not need to enter my password a
    > second time. When I run ms2mit from the command line I get the prompt
    > back with no errors but the krb5 cache is not populated. Any ideas
    > where I went wrong?
    >
    > Thanks
    > Pat



  3. Re: Need help with ms2mit.exe

    Jeff, Thanks, That worked. When I had tried the -c option I did not put
    the FILE: in front of the path.

    I am now running into an other problem. If I open a cygwin xterm window
    and run kinit, I get the ticket. I am then able to ssh to any of the
    servers with out being asked for a password. But when I run ms2mit and
    then try to ssh, I am asked for a password. If I run klist I see a
    valid ticket. It looks the same as the ticket I get after running
    kinit. In the kdc.log on the kdc server, I get an error stating:
    " for host/FQDN@REALM, No mathcing key in entry" The
    other think that I have noticed when I do a klist is that after I do a
    kinit and then ssh, the server I went to is in my ticket cache. But
    after I run ms2mit and then ssh, the server is not added.

    Thanks
    Pat


    Jeffrey Altman wrote:
    > Cygwin can only use file based ccaches. You need to store the TGT
    > into a file ccache.
    >
    > ms2mit.exe -c FILE:
    >
    > Then you have to specify the default ccache name in your cygwin
    > environment.
    >
    > Jeffrey Altman
    >
    >
    > Pat Connolly wrote:
    > > Hello,
    > >
    > > I have installed kfw-3.0 on my XP workstation It authenticates against
    > > the KDC with no problems. Klist shows the ticket in the MSLSA cache.
    > >
    > > On my workstation, I also have cygwin installed with krb5 and kerberos
    > > enabled ssh. Once I run kinit, my ssh works fine.
    > >
    > > I am now trying to get the Windows tickets to be dumped to the krb5
    > > file cache using ms2mit so that I do not need to enter my password a
    > > second time. When I run ms2mit from the command line I get the prompt
    > > back with no errors but the krb5 cache is not populated. Any ideas
    > > where I went wrong?
    > >
    > > Thanks
    > > Pat



  4. Re: Need help with ms2mit.exe

    "klist -e"

    I bet the Kerberos implementation you are using in cygwin does not have
    support for the enctypes used by Microsoft. RC4-HMAC

    Jeffrey Altman


    Pat Connolly wrote:
    > Jeff, Thanks, That worked. When I had tried the -c option I did not put
    > the FILE: in front of the path.
    >
    > I am now running into an other problem. If I open a cygwin xterm window
    > and run kinit, I get the ticket. I am then able to ssh to any of the
    > servers with out being asked for a password. But when I run ms2mit and
    > then try to ssh, I am asked for a password. If I run klist I see a
    > valid ticket. It looks the same as the ticket I get after running
    > kinit. In the kdc.log on the kdc server, I get an error stating:
    > " for host/FQDN@REALM, No mathcing key in entry" The
    > other think that I have noticed when I do a klist is that after I do a
    > kinit and then ssh, the server I went to is in my ticket cache. But
    > after I run ms2mit and then ssh, the server is not added.
    >
    > Thanks
    > Pat
    >
    >
    > Jeffrey Altman wrote:
    >> Cygwin can only use file based ccaches. You need to store the TGT
    >> into a file ccache.
    >>
    >> ms2mit.exe -c FILE:
    >>
    >> Then you have to specify the default ccache name in your cygwin
    >> environment.
    >>
    >> Jeffrey Altman
    >>
    >>
    >> Pat Connolly wrote:
    >>> Hello,
    >>>
    >>> I have installed kfw-3.0 on my XP workstation It authenticates against
    >>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
    >>>
    >>> On my workstation, I also have cygwin installed with krb5 and kerberos
    >>> enabled ssh. Once I run kinit, my ssh works fine.
    >>>
    >>> I am now trying to get the Windows tickets to be dumped to the krb5
    >>> file cache using ms2mit so that I do not need to enter my password a
    >>> second time. When I run ms2mit from the command line I get the prompt
    >>> back with no errors but the krb5 cache is not populated. Any ideas
    >>> where I went wrong?
    >>>
    >>> Thanks
    >>> Pat

    >


  5. Re: Need help with ms2mit.exe

    Jeff,

    klist -e on windows has "ArcFour with HMAC/md5"
    klist -e in cygwin has "AES-128 CTS mode with 96-bit SHA-1 HMAC"

    I have kerberos 1.3.3 installed. I got the cygwin package from
    http://www-clued0.fnal.gov/~axel/files/. What is the easiest way to fix
    this?

    Thanks
    Pat


    Jeffrey Altman wrote:
    > "klist -e"
    >
    > I bet the Kerberos implementation you are using in cygwin does not have
    > support for the enctypes used by Microsoft. RC4-HMAC
    >
    > Jeffrey Altman
    >
    >
    > Pat Connolly wrote:
    > > Jeff, Thanks, That worked. When I had tried the -c option I did not put
    > > the FILE: in front of the path.
    > >
    > > I am now running into an other problem. If I open a cygwin xterm window
    > > and run kinit, I get the ticket. I am then able to ssh to any of the
    > > servers with out being asked for a password. But when I run ms2mit and
    > > then try to ssh, I am asked for a password. If I run klist I see a
    > > valid ticket. It looks the same as the ticket I get after running
    > > kinit. In the kdc.log on the kdc server, I get an error stating:
    > > " for host/FQDN@REALM, No mathcing key in entry" The
    > > other think that I have noticed when I do a klist is that after I do a
    > > kinit and then ssh, the server I went to is in my ticket cache. But
    > > after I run ms2mit and then ssh, the server is not added.
    > >
    > > Thanks
    > > Pat
    > >
    > >
    > > Jeffrey Altman wrote:
    > >> Cygwin can only use file based ccaches. You need to store the TGT
    > >> into a file ccache.
    > >>
    > >> ms2mit.exe -c FILE:
    > >>
    > >> Then you have to specify the default ccache name in your cygwin
    > >> environment.
    > >>
    > >> Jeffrey Altman
    > >>
    > >>
    > >> Pat Connolly wrote:
    > >>> Hello,
    > >>>
    > >>> I have installed kfw-3.0 on my XP workstation It authenticates against
    > >>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
    > >>>
    > >>> On my workstation, I also have cygwin installed with krb5 and kerberos
    > >>> enabled ssh. Once I run kinit, my ssh works fine.
    > >>>
    > >>> I am now trying to get the Windows tickets to be dumped to the krb5
    > >>> file cache using ms2mit so that I do not need to enter my password a
    > >>> second time. When I run ms2mit from the command line I get the prompt
    > >>> back with no errors but the krb5 cache is not populated. Any ideas
    > >>> where I went wrong?
    > >>>
    > >>> Thanks
    > >>> Pat

    > >



  6. Re: Need help with ms2mit.exe

    What does klist in cygwin show after you ms2mit? That is the important
    question. If you are not seeing the TGT, then you are not placing the
    ticket into the correct file.

    Jeffrey Altman


    Pat Connolly wrote:
    > Jeff,
    >
    > klist -e on windows has "ArcFour with HMAC/md5"
    > klist -e in cygwin has "AES-128 CTS mode with 96-bit SHA-1 HMAC"
    >
    > I have kerberos 1.3.3 installed. I got the cygwin package from
    > http://www-clued0.fnal.gov/~axel/files/. What is the easiest way to fix
    > this?
    >
    > Thanks
    > Pat
    >
    >
    > Jeffrey Altman wrote:
    >> "klist -e"
    >>
    >> I bet the Kerberos implementation you are using in cygwin does not have
    >> support for the enctypes used by Microsoft. RC4-HMAC
    >>
    >> Jeffrey Altman
    >>
    >>
    >> Pat Connolly wrote:
    >>> Jeff, Thanks, That worked. When I had tried the -c option I did not put
    >>> the FILE: in front of the path.
    >>>
    >>> I am now running into an other problem. If I open a cygwin xterm window
    >>> and run kinit, I get the ticket. I am then able to ssh to any of the
    >>> servers with out being asked for a password. But when I run ms2mit and
    >>> then try to ssh, I am asked for a password. If I run klist I see a
    >>> valid ticket. It looks the same as the ticket I get after running
    >>> kinit. In the kdc.log on the kdc server, I get an error stating:
    >>> " for host/FQDN@REALM, No mathcing key in entry" The
    >>> other think that I have noticed when I do a klist is that after I do a
    >>> kinit and then ssh, the server I went to is in my ticket cache. But
    >>> after I run ms2mit and then ssh, the server is not added.
    >>>
    >>> Thanks
    >>> Pat
    >>>
    >>>
    >>> Jeffrey Altman wrote:
    >>>> Cygwin can only use file based ccaches. You need to store the TGT
    >>>> into a file ccache.
    >>>>
    >>>> ms2mit.exe -c FILE:
    >>>>
    >>>> Then you have to specify the default ccache name in your cygwin
    >>>> environment.
    >>>>
    >>>> Jeffrey Altman
    >>>>
    >>>>
    >>>> Pat Connolly wrote:
    >>>>> Hello,
    >>>>>
    >>>>> I have installed kfw-3.0 on my XP workstation It authenticates against
    >>>>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
    >>>>>
    >>>>> On my workstation, I also have cygwin installed with krb5 and kerberos
    >>>>> enabled ssh. Once I run kinit, my ssh works fine.
    >>>>>
    >>>>> I am now trying to get the Windows tickets to be dumped to the krb5
    >>>>> file cache using ms2mit so that I do not need to enter my password a
    >>>>> second time. When I run ms2mit from the command line I get the prompt
    >>>>> back with no errors but the krb5 cache is not populated. Any ideas
    >>>>> where I went wrong?
    >>>>>
    >>>>> Thanks
    >>>>> Pat

    >


  7. Re: Need help with ms2mit.exe

    Jeff,

    The AES-128 encrytpion in cygwin is before I do the ms2mit. Once I run
    the ms2mit the outputs from the two klists Show the ArcFour encyption.

    Thanks,
    Pat

    Jeffrey Altman wrote:
    > What does klist in cygwin show after you ms2mit? That is the important
    > question. If you are not seeing the TGT, then you are not placing the
    > ticket into the correct file.
    >
    > Jeffrey Altman
    >
    >
    > Pat Connolly wrote:
    > > Jeff,
    > >
    > > klist -e on windows has "ArcFour with HMAC/md5"
    > > klist -e in cygwin has "AES-128 CTS mode with 96-bit SHA-1 HMAC"
    > >
    > > I have kerberos 1.3.3 installed. I got the cygwin package from
    > > http://www-clued0.fnal.gov/~axel/files/. What is the easiest way to fix
    > > this?
    > >
    > > Thanks
    > > Pat
    > >
    > >
    > > Jeffrey Altman wrote:
    > >> "klist -e"
    > >>
    > >> I bet the Kerberos implementation you are using in cygwin does not have
    > >> support for the enctypes used by Microsoft. RC4-HMAC
    > >>
    > >> Jeffrey Altman
    > >>
    > >>
    > >> Pat Connolly wrote:
    > >>> Jeff, Thanks, That worked. When I had tried the -c option I did not put
    > >>> the FILE: in front of the path.
    > >>>
    > >>> I am now running into an other problem. If I open a cygwin xterm window
    > >>> and run kinit, I get the ticket. I am then able to ssh to any of the
    > >>> servers with out being asked for a password. But when I run ms2mit and
    > >>> then try to ssh, I am asked for a password. If I run klist I see a
    > >>> valid ticket. It looks the same as the ticket I get after running
    > >>> kinit. In the kdc.log on the kdc server, I get an error stating:
    > >>> " for host/FQDN@REALM, No mathcing key in entry" The
    > >>> other think that I have noticed when I do a klist is that after I do a
    > >>> kinit and then ssh, the server I went to is in my ticket cache. But
    > >>> after I run ms2mit and then ssh, the server is not added.
    > >>>
    > >>> Thanks
    > >>> Pat
    > >>>
    > >>>
    > >>> Jeffrey Altman wrote:
    > >>>> Cygwin can only use file based ccaches. You need to store the TGT
    > >>>> into a file ccache.
    > >>>>
    > >>>> ms2mit.exe -c FILE:
    > >>>>
    > >>>> Then you have to specify the default ccache name in your cygwin
    > >>>> environment.
    > >>>>
    > >>>> Jeffrey Altman
    > >>>>
    > >>>>
    > >>>> Pat Connolly wrote:
    > >>>>> Hello,
    > >>>>>
    > >>>>> I have installed kfw-3.0 on my XP workstation It authenticates against
    > >>>>> the KDC with no problems. Klist shows the ticket in the MSLSA cache.
    > >>>>>
    > >>>>> On my workstation, I also have cygwin installed with krb5 and kerberos
    > >>>>> enabled ssh. Once I run kinit, my ssh works fine.
    > >>>>>
    > >>>>> I am now trying to get the Windows tickets to be dumped to the krb5
    > >>>>> file cache using ms2mit so that I do not need to enter my password a
    > >>>>> second time. When I run ms2mit from the command line I get the prompt
    > >>>>> back with no errors but the krb5 cache is not populated. Any ideas
    > >>>>> where I went wrong?
    > >>>>>
    > >>>>> Thanks
    > >>>>> Pat

    > >



  8. Re: Need help with ms2mit.exe

    Then my only guess is that the Kerberos libraries you are using
    within cygwin were compiled without support for RC4-HMAC.

    If you use the native Windows kvno.exe tool can you obtain a
    service ticket for the ssh host? If so, does that work with
    the ssh client?



    Pat Connolly wrote:
    > Jeff,
    >
    > The AES-128 encrytpion in cygwin is before I do the ms2mit. Once I run
    > the ms2mit the outputs from the two klists Show the ArcFour encyption.
    >
    > Thanks,
    > Pat


+ Reply to Thread