[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kinit and Windows Server 2008

To: heimdal-discuss@sics.se
Subject: kinit and Windows Server 2008
From: Ulf Ekberg <uekberg@infoblox.com>
Date: Mon, 28 Apr 2008 19:24:17 +0000 (UTC)
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, Ulf Ekberg <uekberg@infoblox.com>
Sender: news <news@ger.gmane.org>
User-Agent: Loom/3.14 (http://gmane.org/)

Using Heimdal 1.1 (also tried 1.2rc1), the following command:

kinit -k -t <keytab> agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET

works find against a Windows Server 2003 system, but fails
like this against Windows Server 2008:

kinit: krb5_get_init_creds: Client
(agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET) unknown

In order to exclude the possibility of mistyping the principal
name, I copy-pasted from the AD user account properties to file,
scp:ed the file to the Linux system, and copy-pasted to the command
line. Also tried copy-paste from strings(1) output of the keytab
file. All had the same problem.

There were no relevant events logged on the WS 2008 system AFAICS.

Here's partial ethereal output of the packet exchange:

Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000000
Client Name (Principal): agssuser/win-ctho2d6naz8.testak2008.net
Realm: TESTAK2008.NET
Server Name (Principal): krbtgt/TESTAK2008.NET
Name-type: Principal (1)
Name: krbtgt
Name: TESTAK2008.NET
till: 2008-04-12 09:38:20 (Z)
Nonce: 3479015567
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
des3-cbc-sha1 des3-cbc-sha rc4-hmac des-cbc-md5 des-cbc-md4 des-cbc-crc
HostAddresses: 10.32.0.188 192.168.1.1


Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2008-04-11 23:38:11 (Z)
susec: 532943
error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
Realm: TESTAK2008.NET
Server Name (Principal): krbtgt/TESTAK2008.NET
Name-type: Principal (1)
Name: krbtgt
Name: TESTAK2008.NET 

I've set
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
Kerberos\Parameters\LogLevel

to 1 via regedit on the WS 2008 system, and that did turn on
some Kerberos logging, but nothing regarding the kinit failure.

Any idea what might be wrong, or how we could get more information
from the WS 2008 system ?

Follow-Ups:
- Re: kinit and Windows Server 2008
  - From: "Douglas E. Engert" <deengert@anl.gov>

Prev by Date: Re: multiple tgt's
Next by Date: Re: kinit and Windows Server 2008
Prev by thread: heimdal 1.2rc2
Next by thread: Re: kinit and Windows Server 2008
Index(es):
- Date
- Thread