[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kinit and Windows Server 2008





Douglas E. Engert wrote:
> 
> 
> Ulf Ekberg wrote:
>> Using Heimdal 1.1 (also tried 1.2rc1), the following command:
>>
>> kinit -k -t <keytab>
>> agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET
>>
>> works find against a Windows Server 2003 system, but fails
>> like this against Windows Server 2008:
>>
> 
> How did you get the keytab file? ktpass?

Yes, that's right.

> Did you use the /ptype KRB5_NT_SRV_HST option?

No, but it made no difference when I tried it.

(I had tried using "-ptype KRB5_NT_PRINCIPAL" to silence
a complaint from ktpass: "WARNING: pType and account do
not match.This might cause some problems." However, while
the complaint disappeared, kinit still failed. The message
is still there with "-ptype KRB5_NT_SRV_HST".)

> Does the Kvno in the keytab match the msDS-KeyVersionNumber attribute?

I can see the msDS-KeyVersionNumber attribute on 2003, but it's
absent on 2008.

Would this be a problem, and how do I create it on
2008 ?

> Is the UserAccountControl attribute of the AD account the same in 2003
> and 2008?

No, it's 2163200 (which is 0x210200) on 2003, and 0x10200 on 2008.
The 2008 version explains that this is NORMAL_ACCOUNT|
DONT_EXPIRE_PASSWD).

So, there's some additional flag present on 2003. I changed it on
2008, and got USE_DES_K (it's cut off at the K) as well, which looked
promising. However, after clicking Apply, the kinit still failed in
the same way.


>> kinit: krb5_get_init_creds: Client
>> (agssuser/winctho2d6naz8.testak2008.net@TESTAK2008.NET) unknown
>>
>> In order to exclude the possibility of mistyping the principal
>> name, I copy-pasted from the AD user account properties to file,
>> scp:ed the file to the Linux system, and copy-pasted to the command
>> line. Also tried copy-paste from strings(1) output of the keytab
>> file. All had the same problem.
>>
>> There were no relevant events logged on the WS 2008 system AFAICS.
>>
>> Here's partial ethereal output of the packet exchange:
>>
>> Kerberos AS-REQ
>> Pvno: 5
>> MSG Type: AS-REQ (10)
>> KDC_REQ_BODY
>> Padding: 0
>> KDCOptions: 00000000
>> Client Name (Principal): agssuser/win-ctho2d6naz8.testak2008.net
>> Realm: TESTAK2008.NET
>> Server Name (Principal): krbtgt/TESTAK2008.NET
>> Name-type: Principal (1)
>> Name: krbtgt
>> Name: TESTAK2008.NET
>> till: 2008-04-12 09:38:20 (Z)
>> Nonce: 3479015567
>> Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
>> des3-cbc-sha1 des3-cbc-sha rc4-hmac des-cbc-md5 des-cbc-md4 des-cbc-crc
>> HostAddresses: 10.32.0.188 192.168.1.1
>>
>>
>> Kerberos KRB-ERROR
>> Pvno: 5
>> MSG Type: KRB-ERROR (30)
>> stime: 2008-04-11 23:38:11 (Z)
>> susec: 532943
>> error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
>> Realm: TESTAK2008.NET
>> Server Name (Principal): krbtgt/TESTAK2008.NET
>> Name-type: Principal (1)
>> Name: krbtgt
>> Name: TESTAK2008.NET
>> I've set
>> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
>> Kerberos\Parameters\LogLevel
>>
>> to 1 via regedit on the WS 2008 system, and that did turn on
>> some Kerberos logging, but nothing regarding the kinit failure.
>>
>> Any idea what might be wrong, or how we could get more information
>> from the WS 2008 system ?
>>
>>
>>
>