What does this return? kvno -e des-cbc-md5 sapldap/ads.company....@company.com
-Christopher -----Original Message----- From: Ray Vand [mailto:ray_v...@filemaker.com] Sent: Monday, April 22, 2013 4:46 PM To: Nebergall, Christopher Cc: Benjamin Kaduk; kerberos@mit.edu Subject: Re: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10 Christopher, Yes, I have. Please see below. # cat krb5.conf libdefaults] default_realm = COMPANY.COM default_keytab_name = /etc/krb5/krb5.keytab default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 allow_weak_crypto = true [realms] COMPANY.COM = { kdc = ads.company.com:88 admin_server = ads.company.com default.domain = COMPANY.COM kpasswd_server = ads.company.com } [domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM # # kinit -k sapldap/ads.company....@company.com kinit(v5): Key table entry not found while getting initial credentials # When I use it without -k option, it works and prompts for password and only takes correct password. klist shows recent date and expiration time. Ray On Apr 22, 2013, at 2:01 PM, "Nebergall, Christopher" <cneb...@sandia.gov> wrote: > Do you need to have allow_weak_crypto = true set in your krb5.conf? > > -Christopher > -----Original Message----- > From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of > Ray Vand > Sent: Monday, April 22, 2013 3:38 PM > To: Benjamin Kaduk > Cc: kerberos@mit.edu > Subject: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10 > > Ben, > > The space is added when I cut and paste from terminal. I forgot to fix it in > the email. > it prompts for password and it takes it. I even tried wrong password and I > got error. Which mean it is communicating with KDC. > > Also I am using MIT Kerberos version krb5-1.11.1-signed.tar which I download > it from MIT site. > > Ray > > On Apr 22, 2013, at 1:27 PM, Benjamin Kaduk <ka...@mit.edu> wrote: > >> [putting the list back in the cc] >> >> On Mon, 22 Apr 2013, Ray Vand wrote: >> >>> Ben, >>> >>> kvno was 9 because I gave a new value in addent command. >>> >>> ktutil: addent -password -p sapldap/ads.company....@company.com -k 9 -e >>> DES-CBC-MD5 >> >> Ah, okay. As I said earlier, I don't think this kvno will affect 'kinit >> -k', but is relevant when used as an acceptor. >> >>> I created a new one with kvno 7 and tried it. Still getting initial >>> credentials error. >> >> Right, I wouldn't expect that to change. >> >> Some ways of generating a keytab will increment the kvno on the KDC, which >> will cause problems for existing keytabs; it sounds like that is not what is >> causing this problem. >> >>> ktutil: addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e >>> DES-CBC-MD5 >>> Password for sapldap/ads.company.com@ COMPANY.COM: >>> ktutil: list >>> slot KVNO Principal >>> ---- ---- >>> --------------------------------------------------------------------- >>> 1 7 sapldap/ads.company.com@ COMPANY.COM >>> ktutil: wkt /tmp/ray.keytab >>> ktutil: q >>> >>> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab >>> >>> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM >>> kinit(v5): Key table entry not found while getting initial credentials >> >> I assume the space between '@' and "COMPANY.COM" is introduced while >> transcribing into email? If it is present in the actual command line it may >> cause problems. >> >> You never did say if you are using the Solaris integrated tools or an >> external installation of MIT kerberos. >> >> -Ben > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
