> > "Marc Horowitz" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > "Rick" <[EMAIL PROTECTED]> writes: > > > > >> On unix > > >> 1. ktutil > > >> 2. rkt unix1.keytab > > >> 3. list > > >> 4. wkt /etc/krb5.keytab > > >> 5. q > > > > Is there a reason you did all this instead of "cp"? > > Basically this is what the MS document outlined. Not being familiar with > Kerberos I can only presume ktutil does more than just merge keytabs. Based > on your post it seems as if that's not the case.
If there are no keys already in /etc/krb5.keytab that you care about, 'cp' will do the job. If there are already keys in /etc/krb5.keytab and you want to add another key from a different keytab, then the 5-step process above is the right way to do it; as ktutil will not clobber the existing keys already in /etc/krb5.keytab. > > >> To try to get it to work in my NT machine I basically did the same > thing. > > >> > > >> On kdc: > > >> 1. ktpass -princ [EMAIL PROTECTED] -mapuser test -pass > > >> testpass -out test.keytab > > >> 2. transfer keytab to windows computer. > > >> > > >> There doesn't seem to be a ktutil.exe on windows. > > > > What do you think you need ktutil for? > > Please see above. > > > > >> I presume I need to get a > > >> ticket for 'tsample'. I tried kinit -k -t krb5.keytab -S tsample > test. > > >> It didn't work. Neither did several other variations. > > > > Why are you giving kinit the -S flag? I do not think it does what you > > think it does. For that matter, why are you using a keytab at all? > > It's much easier to create a normal user principal and use kinit to > > get tickets. If you must use a keytab, the correct invocatrion is > > "kinit -k -t keytabfile [EMAIL PROTECTED]". Of course, the > > last argument should be the actual principal name of the key you want > > to use. > > If I do as you say it will change the default principal name. Due to time > restrictions I haven't been able to gain a greater understanding of how most > of this works but I think what I want is to get a service ticket (sample) > for a specified principal (user). For example in Unix, after I run the > gss-api sample program klist produces this. > > default principal: [EMAIL PROTECTED] > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > BTW. The names are different than above because I'm using different > keytabs, service names, etc. between unix tests and windows tests. > > The way I read this is that the principal named 'user' has three tickets. > One tgt and two tickets for 'sample'. Not sure why there are two for > 'sample' but that's not horribly important to me right now. Is that not > correct? > > Ultimately the application will use 'rcmd' to auth the sender but just to > see how all this fits together I'm using 'sample' > > Thank you for any help. > > > > > > >> The gss-server sample fails with > > >> GSS-API error acquiring credentials: Miscellaneous failure > > >> GSS-API error acquiring credentials: No such file or directory > > > > The server would fail this way because it can't find the keytab file. > > I don't know where win3k is looking for it, but you should figure this > > out, and purt the keytab there. > > I checked source code. First it checks env table, then > 'default_keytab_name' in 'libdefaults'. On windows, if all else fails, it > will go to windows direction (\winnt). I just used krb5.conf and it finds > the file now. However, I now get another error message. > > GSS-API error acquiring credentials: Miscellaneous failure > GSS-API error acquiring credentials: No principal in keytab matches desired > name Are you invoking the server with the correct service_name that matches the principal whose key is in the keytab? ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
