[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: krb5_get_init_creds_keytab w/ preauthentication
On Sun, 28 May 2006 21:09:49 -0400
Michael B Allen <firstname.lastname@example.org> wrote:
> On Mon, 29 May 2006 00:07:26 +0100
> "Markus Moeller" <email@example.com> wrote:
> > Michael,
> > I build it on SLES 9 which uses Heimdal 0.6.3 as default. And I am pretty
> > sure that I can do a kinit -kt keytab host/fqdn on my SLES9 box.
Wait! Hold the phone. It works. I was using the user principal name form
'macho$@FOO.NET'. If I do:
kinit -k -t ~/tmp/macho.keytab host/macho.foo.net@FOO.NET
Thanks for your patience,
> I'm using 0.7.2. I have cvsweb for Heimdal and there has been quite a
> few revisions since 0.6.3.
> > I have a couple of questions:
> > How did you create your keytab ?
> C:\> ktpass /out macho.keytab /mapuser macho$@FOO.NET \
> /princ host/macho.foo.net /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL
> Note I didn't use /rndpass because I wanted to test with
> > Is it from a w2k3 kdc ?
> > Is it DES ?
> No. It's RC4:
> $ ktutil -k ~/tmp/macho.keytab list
> Vno Type Principal
> 5 arcfour-hmac-md5 host/macho.foo.net@FOO.NET
> > If it is a w2k3 do you use computer accounts ?
> I'm just testing my software so everything is contrived. The account
> 'macho' has a type 'Computer' but I just noticed for some reason it
> appears under 'Users' in the Active Directory Computers and Users
> mmc snap-in. So something with that account might be goofey but
> krb5_get_init_creds_password works with that account.
> > Did you have a look at the error response with ethereal ?
> > If you use DES you
> > may see the salt you use and the salt the kdc wants to use
> I use ktexport to dump all keys for Ethereal so it decrypts everything
> from everybody. There is no salt for rc4. It's shown as "<MISSING>".