PS wrote: > On Mar 25, 12:00 pm, "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: >> Your problem might be a bad version of ktpass. >> Seehttp://support.microsoft.com/kb/919557 > > That could be the case. > > But what about the fact mentioned that I created a keytab using ktutil > addent as shown on the Solaris box, supplying the password, and I > still get the same result?
The key is a function of the password and the salt. With DES the password is concatenated with the salt which is usually the concatenation of the realm and components of the principal name. Since an AD account has only one password, but can have a UPN and SPNs, the salt is based on the samAccountName. So when you used the ktutil, it assumed a salt based on the principal. > But when I kinit with this same password I > get the ticket? Part of the pre-auth protocol is for the KDC to send the salt to the kinit client. Kinit then combines the password and the KDC's salt to generate the key. If you want to see the KDC's salt, you can use a network trace program like wireshark. If you are going to have a lot of unix services or hosts, you might want to google for msktutil. This uses OpenLDAP and Kerberos on Unix to create and update keytab files. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
