Christopher, Something is wrong with your command. May be it is incomplete.
Can you please send me the correct syntax? Ray On Apr 22, 2013, at 2:55 PM, Nebergall, Christopher wrote: > What does this return? > > kvno -e des-cbc-md5 sapldap/ads.company....@company.com > > -Christopher > -----Original Message----- > From: Ray Vand [mailto:ray_v...@filemaker.com] > Sent: Monday, April 22, 2013 4:46 PM > To: Nebergall, Christopher > Cc: Benjamin Kaduk; kerberos@mit.edu > Subject: Re: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10 > > Christopher, > > Yes, I have. Please see below. > > # cat krb5.conf > libdefaults] > default_realm = COMPANY.COM > default_keytab_name = /etc/krb5/krb5.keytab > default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 > allow_weak_crypto = true > > [realms] > COMPANY.COM = { > kdc = ads.company.com:88 > admin_server = ads.company.com > default.domain = COMPANY.COM > kpasswd_server = ads.company.com > } > > [domain_realm] > .company.com = COMPANY.COM > company.com = COMPANY.COM > # > > > # kinit -k sapldap/ads.company....@company.com > kinit(v5): Key table entry not found while getting initial credentials > # > > When I use it without -k option, it works and prompts for password and only > takes correct password. > klist shows recent date and expiration time. > > Ray > > > On Apr 22, 2013, at 2:01 PM, "Nebergall, Christopher" <cneb...@sandia.gov> > wrote: > >> Do you need to have allow_weak_crypto = true set in your krb5.conf? >> >> -Christopher >> -----Original Message----- >> From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf >> Of Ray Vand >> Sent: Monday, April 22, 2013 3:38 PM >> To: Benjamin Kaduk >> Cc: kerberos@mit.edu >> Subject: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10 >> >> Ben, >> >> The space is added when I cut and paste from terminal. I forgot to fix it in >> the email. >> it prompts for password and it takes it. I even tried wrong password and I >> got error. Which mean it is communicating with KDC. >> >> Also I am using MIT Kerberos version krb5-1.11.1-signed.tar which I download >> it from MIT site. >> >> Ray >> >> On Apr 22, 2013, at 1:27 PM, Benjamin Kaduk <ka...@mit.edu> wrote: >> >>> [putting the list back in the cc] >>> >>> On Mon, 22 Apr 2013, Ray Vand wrote: >>> >>>> Ben, >>>> >>>> kvno was 9 because I gave a new value in addent command. >>>> >>>> ktutil: addent -password -p sapldap/ads.company....@company.com -k 9 -e >>>> DES-CBC-MD5 >>> >>> Ah, okay. As I said earlier, I don't think this kvno will affect 'kinit >>> -k', but is relevant when used as an acceptor. >>> >>>> I created a new one with kvno 7 and tried it. Still getting initial >>>> credentials error. >>> >>> Right, I wouldn't expect that to change. >>> >>> Some ways of generating a keytab will increment the kvno on the KDC, which >>> will cause problems for existing keytabs; it sounds like that is not what >>> is causing this problem. >>> >>>> ktutil: addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e >>>> DES-CBC-MD5 >>>> Password for sapldap/ads.company.com@ COMPANY.COM: >>>> ktutil: list >>>> slot KVNO Principal >>>> ---- ---- >>>> --------------------------------------------------------------------- >>>> 1 7 sapldap/ads.company.com@ COMPANY.COM >>>> ktutil: wkt /tmp/ray.keytab >>>> ktutil: q >>>> >>>> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab >>>> >>>> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM >>>> kinit(v5): Key table entry not found while getting initial credentials >>> >>> I assume the space between '@' and "COMPANY.COM" is introduced while >>> transcribing into email? If it is present in the actual command line it >>> may cause problems. >>> >>> You never did say if you are using the Solaris integrated tools or an >>> external installation of MIT kerberos. >>> >>> -Ben >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
