Tyson Oswald wrote: > > I did a manual comparision between the two files like this > > on Windows ktpass -in my.keytab > > on unix klist -k -K > > they are identical. > > Any idea what the ticket option FORWARDED means?
It means the ticket was issued based on a previous TGT. i.e. this is usually by delegations as done by GSSAPI. That may not be the problem. When you setup the servic e principal for the machine, it should have had a name like host/[EMAIL PROTECTED] where myserver.ameritech.net is the FQDN of the host, and MY.REALM is the realm where hte host is registered. P.S. We have sun workstaions using pam_krb5 which allow one to login to the workstaion fromn the console. We are using the MIT Kerberos, not SEAM. Somethinhg else to try: login to the Sun using normal login. Using the SEAM commands: kinit [EMAIL PROTECTED] klist -f -e Then try kinit -S t/[EMAIL PROTECTED] which will ask for your user and password, then try and get a service ticket for the host. Also look at the /etc/krb5.conf file. (I think SEAM uses the same locaiton.) > > thanks, > > Tyson Oswald > > "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > Tyson Oswald wrote: > > > > Tyson Oswald wrote: I generated a host key on the a Windows server and installed > > it on the Sun workstation with ktutil. The key was generated with the same > > password as the user on windows. It was setup with DES-CBC-CRC enctype, also > > krb5.conf is setup to use des-cbc-crc for both tkt and tgs. One thing I did do was > > when I FTPed the host key to the Sun box I used binary instead of ascii, if that > > caused a problem I do not know. If you think this could cause this issue I will > > re-copy it. > > Anyother way to do it is when you run the ktpass /out ... > it will type out the entry on the console, and show the kvno and the > DES key in hex. > > You can then use the ktutil "addent -key" and type in the DES key in > hex on the UNIX system. This avoids any string-to-key problems, as well > as any transfer problems. > > If nothing else you cold verify if the key and kvno is as expected > by using klist -k -K ... > > > > > thank you, > > > > Tyson Oswald > > > > Jeffrey Altman wrote: > > Do you have a host key for the Windows workstation? > > > > Does the Windows workstation know the name you have used for its host key? > > > > Is the host key restricted to use an enctype of DES-CBC-CRC? > > > > Did you create the host key with a password and not a random key? > > > > Did you install the password into the Workstation using KSETUP? > > > > Jeffrey Altman > > > > Tyson Oswald wrote: > > > Hello all, > > > > > > I read the white paper on the MS site > > > (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp) > > > to setup AD authentication on Unix. It is based on MIT KDC, but I am > > > using SEAM. Since SEAM is based on MIT, I assumed it would work. I > > > am using SEAM 1.0.1 on SPARC Solaris 8. I followed the instructions > > > in the white paper, and according to the event log on our PDC the user > > > authenticates successfully. But, the Service Ticket is failing > > > authentication. I am troubled as to why. The event id I am getting > > > in the event log is 677. The failure code is 0x0d (bad option) and > > > the ticket option is 0x02. According the the RFC 0x02 menas FORWARDED. > > > > > > Has anyone run into this error or know what is wrong? > > > > > > thank you, > > > > > > Tyson Oswald > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
