You are a very intelligent man. It worked! Thanks a million! --Dave
--- John Brezak <[EMAIL PROTECTED]> wrote: > You need to change the Administrator password at > least once after DC > promotion. > > Any account that is present before an "upgrade" > requires that the > password be changed so that the DES keys are > generated. > > The "administrator" account is created prior to DC > promotion and because > of this it is just like an "upgrade" even though the > domain is new. > > -----Original Message----- > From: Dave Snoopy [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 13, 2002 12:09 PM > To: [EMAIL PROTECTED] > Subject: using kinit with a Win2k KDC > > Hi All, > > I am using MIT Kerberos 5, and its tool "kinit", to > try and get a TGT from a Win2k KDC (which is also my > Primary Domain Controller). > > My KDC/PDC is called GEM.MYCOMPANY.COM. I am able to > get a ticket for any user which I create on Gem > (e.g. > kinit [EMAIL PROTECTED]). I'm able to do a > klist and see my ticket. I've also looked at a > network > trace on port 88, and everything seems to go > smoothly. > > > However, a problem arises when I try to use kinit to > get a TGT for the special user "administrator", I > get > rejected. The error that kinit gives me is: > > # kinit [EMAIL PROTECTED] > kinit(v5): KDC has no support for encryption type > while getting initial credentials. > > I did a network trace on port 88 with Ethereal. The > conversation between my machine and the KDC looks > something like this: > > 1) Request for "administrator" in realm > GEM.MYCOMPANY.COM. Encryption types are > "des-cbc-crc". > > 2) Server responds with error > "KRB5KDC_ERR_PREAUTH_REQUIRED". > > 3) Client resends request, this time with > Pre-Authentication section. > > 4) Server responds with error > "KRB5KDC_ERR_ETYPE_NOSUPP". > > I then checked the EventViewer on my PDC, and saw > this > error: > > Source: KDC > Description: The account Administrator did not have > a > suitable key for generating a Kerberos ticket. If > the > encryption type is supported, changing or setting > the > password will generate a proper key. > > Does anyone know why this should work for all users > besides administrator? Better yet, does anyone know > how I can get it to work for administrator? My > eventual goal is to use OpenLDAP to do some querying > on the PDC. For this I'll need to authenticate with > the PDC as "administrator" via LDAP, and will thus > need a TGT for the administrator user (or so I > understand). > > Thanks, > Dave > > __________________________________________________ > Do You Yahoo!? > LAUNCH - Your Yahoo! Music Experience > http://launch.yahoo.com > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
