Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options.
e.g. - Ktpass args: -princ host/computera.f...@realm -mapuser computerA -pass +rndPass "-ptype KRB5_NT_PRINCIPAL -out computerA.keytab -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Hefferman Sent: 08 April 2009 15:23 To: [email protected] Subject: Aqcuiring a TGT for a host/ principal using Active Directory Dear All, I'm not sure if this is the correct place to ask this question - it involves the MIT kinit program, but also Active Directory as the KDC (Server 2008). The problem I am experiencing, is that I can't seem to 'kinit -k' using an spn of an instance type such as host/ when using an AD domain controller. The procedure is as follows: - I create a new account in active directory, such as 'computerA' - I run ktpass (or msktutil) to associate a host/ principal name with this account (host/computera.f...@realm) and create a keytab - I securely transfer this keytab to the Linux computer (if msktutil was not used) - I run kinit -kt computerA.keytab host/computera.f...@realm Kinit returns: kinit(v5): Client not found in Kerberos database while getting initial credentials Some additional information: - Ktpass args: -princ host/computera.f...@realm -mapuser computerA -pass +rndPass -out computerA.keytab - Name specified through -princ argument is definitely associated with computerA (checked in computerA's attribute list - kvno works against host/computera.f...@realm - computerA.keytab contains key and principal name specified through -princ - when kinit -k host/computera.f...@realm is executed, Active Directory event viewer logs (on the Domain Controller) shows the 'Account Name' that is attempting to acquire the TGT as 'host', instead of host/....@... It appears to omit anything that comes after the forward slash. - I've tried ktpass with all encryption types - same result. - Same result with user or computer objects in AD. - Same result when both -ptype's are specified when running ktpass Just wondering if anyone had had any experience with TGT acquisition and principal names containing forward slashes. No problem if this is the wrong place to ask. Maybe it's not even possible to do this with AD, but I doubt that's the case. Thanks in advance for any help, John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
