Shawn M Emery wrote: > Wyllys Ingersoll wrote: >> Douglas E. Engert wrote: >> >>> Wyllys Ingersoll wrote: >>> >>>> Glenn Barry wrote: >>>> >>>>> Wyllys Ingersoll wrote: >>>>> >>>>>> I am trying to test out the ability to get creds from a keytab for >>>>>> a non "host" credential. >>>>>> kinit -k -S _service_name_ is supposed to work, but it doesn't. >>>>>> >>>>>> Am I using this properly or is this a bug in kinit (or >>>>>> krb5_get_init_creds API) ? >>>>>> >>>>>> # kinit -k -S imap >>>>>> kinit(v5): Server not found in Kerberos database while getting >>>>>> initial credentials >>>>>> >>>>> how about adding the fqdn "kinit -k -S imap/fqdn" , try that yet? >>>>> >>>> Tried that - no luck. >>>> >>> You may have the give the client principal too as kinit will assume >>> the client is the one found in the cache, or derive from the $LOGNAME >>> >>> I bet in your case it is looking for root@<realm> >>> >>> On my workstaton >>> kinit -k -S LDAP/xxxx.anl.gov host/orleans.anl.gov >>> wrote the ticked to /tmp/krb5cc_0 >>> >>> >> Yes, thanks. That worked. > > Hmmm, the error message should have said that the client was not found, > not the server. Or did the error message change once the service > principal was fully qualified?
Can you use wire shark or other network trace to see the packets? I don't see how the -S imap without a host name would ever work, unless it assumed the local host name. > > Shawn. > -- > > -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
