[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: krb5_get_init_creds_keytab w/ preauthentication
On Sun, 28 May 2006 21:09:49 -0400
Michael B Allen <mba2000@ioplex.com> wrote:
> On Mon, 29 May 2006 00:07:26 +0100
> "Markus Moeller" <huaraz@moeller.plus.com> wrote:
>
> > Michael,
> >
> > I build it on SLES 9 which uses Heimdal 0.6.3 as default. And I am pretty
> > sure that I can do a kinit -kt keytab host/fqdn on my SLES9 box.
Wait! Hold the phone. It works. I was using the user principal name form
'macho$@FOO.NET'. If I do:
kinit -k -t ~/tmp/macho.keytab host/macho.foo.net@FOO.NET
it works.
Thanks for your patience,
Mike
>
> I'm using 0.7.2. I have cvsweb for Heimdal and there has been quite a
> few revisions since 0.6.3.
>
> > I have a couple of questions:
> > How did you create your keytab ?
>
> C:\> ktpass /out macho.keytab /mapuser macho$@FOO.NET \
> /princ host/macho.foo.net /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL
>
> Note I didn't use /rndpass because I wanted to test with
> krb5_get_init_creds_password.
>
> > Is it from a w2k3 kdc ?
>
> Yes.
>
> > Is it DES ?
>
> No. It's RC4:
>
> $ ktutil -k ~/tmp/macho.keytab list
> /home/miallen/tmp/macho.keytab:
>
> Vno Type Principal
> 5 arcfour-hmac-md5 host/macho.foo.net@FOO.NET
>
> > If it is a w2k3 do you use computer accounts ?
>
> I'm just testing my software so everything is contrived. The account
> 'macho' has a type 'Computer' but I just noticed for some reason it
> appears under 'Users' in the Active Directory Computers and Users
> mmc snap-in. So something with that account might be goofey but
> krb5_get_init_creds_password works with that account.
>
> > Did you have a look at the error response with ethereal ?
>
> Yes.
>
> > If you use DES you
> > may see the salt you use and the salt the kdc wants to use
>
> I use ktexport to dump all keys for Ethereal so it decrypts everything
> from everybody. There is no salt for rc4. It's shown as "<MISSING>".
>
> Mike