"Kevin Coffman" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > "Marc Horowitz" <[EMAIL PROTECTED]> wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > "Rick" <[EMAIL PROTECTED]> writes: > > > > > > >> On unix > > > >> 1. ktutil > > > >> 2. rkt unix1.keytab > > > >> 3. list > > > >> 4. wkt /etc/krb5.keytab > > > >> 5. q > > > > > > Is there a reason you did all this instead of "cp"? > > > > Basically this is what the MS document outlined. Not being familiar with > > Kerberos I can only presume ktutil does more than just merge keytabs. Based > > on your post it seems as if that's not the case. > > > If there are no keys already in /etc/krb5.keytab that you care about, > 'cp' will do the job. If there are already keys in /etc/krb5.keytab > and you want to add another key from a different keytab, then the > 5-step process above is the right way to do it; as ktutil will not > clobber the existing keys already in /etc/krb5.keytab. > > > > > >> To try to get it to work in my NT machine I basically did the same > > thing. > > > >> > > > >> On kdc: > > > >> 1. ktpass -princ [EMAIL PROTECTED] -mapuser test -pass > > > >> testpass -out test.keytab > > > >> 2. transfer keytab to windows computer. > > > >> > > > >> There doesn't seem to be a ktutil.exe on windows. > > > > > > What do you think you need ktutil for? > > > > Please see above. > > > > > > > >> I presume I need to get a > > > >> ticket for 'tsample'. I tried kinit -k -t krb5.keytab -S tsample > > test. > > > >> It didn't work. Neither did several other variations. > > > > > > Why are you giving kinit the -S flag? I do not think it does what you > > > think it does. For that matter, why are you using a keytab at all? > > > It's much easier to create a normal user principal and use kinit to > > > get tickets. If you must use a keytab, the correct invocatrion is > > > "kinit -k -t keytabfile [EMAIL PROTECTED]". Of course, the > > > last argument should be the actual principal name of the key you want > > > to use. > > > > If I do as you say it will change the default principal name. Due to time > > restrictions I haven't been able to gain a greater understanding of how most > > of this works but I think what I want is to get a service ticket (sample) > > for a specified principal (user). For example in Unix, after I run the > > gss-api sample program klist produces this. > > > > default principal: [EMAIL PROTECTED] > > > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > > > BTW. The names are different than above because I'm using different > > keytabs, service names, etc. between unix tests and windows tests. > > > > The way I read this is that the principal named 'user' has three tickets. > > One tgt and two tickets for 'sample'. Not sure why there are two for > > 'sample' but that's not horribly important to me right now. Is that not > > correct? > > > > Ultimately the application will use 'rcmd' to auth the sender but just to > > see how all this fits together I'm using 'sample' > > > > Thank you for any help. > > > > > > > > > > > >> The gss-server sample fails with > > > >> GSS-API error acquiring credentials: Miscellaneous failure > > > >> GSS-API error acquiring credentials: No such file or directory > > > > > > The server would fail this way because it can't find the keytab file. > > > I don't know where win3k is looking for it, but you should figure this > > > out, and purt the keytab there. > > > > I checked source code. First it checks env table, then > > 'default_keytab_name' in 'libdefaults'. On windows, if all else fails, it > > will go to windows direction (\winnt). I just used krb5.conf and it finds > > the file now. However, I now get another error message. > > > > GSS-API error acquiring credentials: Miscellaneous failure > > GSS-API error acquiring credentials: No principal in keytab matches desired > > name > > > Are you invoking the server with the correct service_name that matches > the principal whose key is in the keytab?
I'm invoking the server with 'tsample'. I created the keytab with ktpass -princ [EMAIL PROTECTED] -mapuser test -pass password -out test.keytab I copied test.keytab to the file specified in the krb5.conf file (winnt\krb5.keytab) then did a kinit as 'test'. What's the relationship between the service_name and a principal? Thanks for the help. > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
