Can't make the keytab work

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Can't make the keytab work

Stian Selnes
Hi,

I'm trying to logon using kerberos and telnet between to linux
machinges. The host has address asterisk.tsip.lab. I'm using Microsoft
Live Communication Server 2005 as KDC. The problem is this (I followed
the steps at this site:
http://www.cromwell-intl.com/unix/kerberos.html ):

I let ktpass.exe generate a keytab for me:
ktpass -princ host/[hidden email] -mapuser xxx.yyy.com -pass zzz
-out temp.keytab

I transfered this keytab over to the host and used ktutil to add the
keytab to the file /etc/krb5.keytab. It seems to me like this process
has worked because when I now use ktutil I get:

# ktutil:  rkt /etc/krb5.keytab
# ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3          host/[hidden email] (DES cbc mode with RSA-MD5)

And here come's the problem. When I type:

# kinit -5 -k -t /etc/krb5.keytab xxx.yyy.com

to verify that I can get credentials using the keytab, nothing
happens. Well, actually, I can see from Ethereal that I'm sending an
AS-REQ to KDC, and get a KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED in
return. And then nothing happens. Even no error messages.

If i try to get a credential not using the keytab:

# kinit xxx.yyy.com
Password for [hidden email]:

everything works fine, and i can use kerberos and telnet from the
second computer to log on to xxx.yyy.com. Therefore, it must be
something wrong with the keytab or the way I'm trying verify it?
Anybody got some tips, please?

Here's my krb5.conf file:

[libdefaults]
 default_realm = YYY.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5

[realms]
 YYY.COM = {
  kdc = lcs2005.yyy.com:88
  kpasswd_server = lcs2005.yyy.com:464
 }

[domain_realm]
 .yyy.com = YYY.COM
 yyy.com = YYY.COM

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos