You need to change the Administrator password at least once after DC promotion.
Any account that is present before an "upgrade" requires that the password be changed so that the DES keys are generated. The "administrator" account is created prior to DC promotion and because of this it is just like an "upgrade" even though the domain is new. -----Original Message----- From: Dave Snoopy [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 12:09 PM To: [EMAIL PROTECTED] Subject: using kinit with a Win2k KDC Hi All, I am using MIT Kerberos 5, and its tool "kinit", to try and get a TGT from a Win2k KDC (which is also my Primary Domain Controller). My KDC/PDC is called GEM.MYCOMPANY.COM. I am able to get a ticket for any user which I create on Gem (e.g. kinit [EMAIL PROTECTED]). I'm able to do a klist and see my ticket. I've also looked at a network trace on port 88, and everything seems to go smoothly. However, a problem arises when I try to use kinit to get a TGT for the special user "administrator", I get rejected. The error that kinit gives me is: # kinit [EMAIL PROTECTED] kinit(v5): KDC has no support for encryption type while getting initial credentials. I did a network trace on port 88 with Ethereal. The conversation between my machine and the KDC looks something like this: 1) Request for "administrator" in realm GEM.MYCOMPANY.COM. Encryption types are "des-cbc-crc". 2) Server responds with error "KRB5KDC_ERR_PREAUTH_REQUIRED". 3) Client resends request, this time with Pre-Authentication section. 4) Server responds with error "KRB5KDC_ERR_ETYPE_NOSUPP". I then checked the EventViewer on my PDC, and saw this error: Source: KDC Description: The account Administrator did not have a suitable key for generating a Kerberos ticket. If the encryption type is supported, changing or setting the password will generate a proper key. Does anyone know why this should work for all users besides administrator? Better yet, does anyone know how I can get it to work for administrator? My eventual goal is to use OpenLDAP to do some querying on the PDC. For this I'll need to authenticate with the PDC as "administrator" via LDAP, and will thus need a TGT for the administrator user (or so I understand). Thanks, Dave __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
