Hi All, I am using MIT Kerberos 5, and its tool "kinit", to try and get a TGT from a Win2k KDC (which is also my Primary Domain Controller).
My KDC/PDC is called GEM.MYCOMPANY.COM. I am able to get a ticket for any user which I create on Gem (e.g. kinit [EMAIL PROTECTED]). I'm able to do a klist and see my ticket. I've also looked at a network trace on port 88, and everything seems to go smoothly. However, a problem arises when I try to use kinit to get a TGT for the special user "administrator", I get rejected. The error that kinit gives me is: # kinit [EMAIL PROTECTED] kinit(v5): KDC has no support for encryption type while getting initial credentials. I did a network trace on port 88 with Ethereal. The conversation between my machine and the KDC looks something like this: 1) Request for "administrator" in realm GEM.MYCOMPANY.COM. Encryption types are "des-cbc-crc". 2) Server responds with error "KRB5KDC_ERR_PREAUTH_REQUIRED". 3) Client resends request, this time with Pre-Authentication section. 4) Server responds with error "KRB5KDC_ERR_ETYPE_NOSUPP". I then checked the EventViewer on my PDC, and saw this error: Source: KDC Description: The account Administrator did not have a suitable key for generating a Kerberos ticket. If the encryption type is supported, changing or setting the password will generate a proper key. Does anyone know why this should work for all users besides administrator? Better yet, does anyone know how I can get it to work for administrator? My eventual goal is to use OpenLDAP to do some querying on the PDC. For this I'll need to authenticate with the PDC as "administrator" via LDAP, and will thus need a TGT for the administrator user (or so I understand). Thanks, Dave __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
