[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kinit and Windows Server 2008





Ulf Ekberg wrote:
> Using Heimdal 1.1 (also tried 1.2rc1), the following command:
> 
> kinit -k -t <keytab> agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET
> 
> works find against a Windows Server 2003 system, but fails
> like this against Windows Server 2008:
>

How did you get the keytab file? ktpass?

Did you use the /ptype KRB5_NT_SRV_HST option?

Does the Kvno in the keytab match the msDS-KeyVersionNumber attribute?

Is the UserAccountControl attribute of the AD account the same in 2003 and 2008?

> kinit: krb5_get_init_creds: Client
> (agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET) unknown
> 
> In order to exclude the possibility of mistyping the principal
> name, I copy-pasted from the AD user account properties to file,
> scp:ed the file to the Linux system, and copy-pasted to the command
> line. Also tried copy-paste from strings(1) output of the keytab
> file. All had the same problem.
> 
> There were no relevant events logged on the WS 2008 system AFAICS.
> 
> Here's partial ethereal output of the packet exchange:
> 
> Kerberos AS-REQ
> Pvno: 5
> MSG Type: AS-REQ (10)
> KDC_REQ_BODY
> Padding: 0
> KDCOptions: 00000000
> Client Name (Principal): agssuser/win-ctho2d6naz8.testak2008.net
> Realm: TESTAK2008.NET
> Server Name (Principal): krbtgt/TESTAK2008.NET
> Name-type: Principal (1)
> Name: krbtgt
> Name: TESTAK2008.NET
> till: 2008-04-12 09:38:20 (Z)
> Nonce: 3479015567
> Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
> des3-cbc-sha1 des3-cbc-sha rc4-hmac des-cbc-md5 des-cbc-md4 des-cbc-crc
> HostAddresses: 10.32.0.188 192.168.1.1
> 
> 
> Kerberos KRB-ERROR
> Pvno: 5
> MSG Type: KRB-ERROR (30)
> stime: 2008-04-11 23:38:11 (Z)
> susec: 532943
> error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
> Realm: TESTAK2008.NET
> Server Name (Principal): krbtgt/TESTAK2008.NET
> Name-type: Principal (1)
> Name: krbtgt
> Name: TESTAK2008.NET 
> 
> I've set
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
> Kerberos\Parameters\LogLevel
> 
> to 1 via regedit on the WS 2008 system, and that did turn on
> some Kerberos logging, but nothing regarding the kinit failure.
> 
> Any idea what might be wrong, or how we could get more information
> from the WS 2008 system ?
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444