There can be possibly two reasons for it with my experiences .
1. Windows server version ( enterprise edition , SP version ) and support
tools version are incompatible.
this is the case most of the times .Ktpass corrupts the mapping on
service accounts If it is not correct ones.
Please use update enterprise editions and support tools for SP2 and try
this again.
2. Windows server 2008 does not support SPN 's by default for TGT .
There is a patch available though .
Thanks
Nikhil
On Wed, Apr 8, 2009 at 5:41 PM, John Hefferman <[email protected]>wrote:
> Hi,
>
> Thanks very much for the reply, but using the KRB5_NT_PRINCIPAL
> principal type does not seem have an effect.
>
> I still get the message 'kinit(v5): Client not found in Kerberos
> database while getting initial credentials' when running kinit -kt
> computerA.keytab host/computera.f...@realm.
>
> Thanks,
>
> John
>
> -----Original Message-----
> From: Srinivas Cheruku [mailto:[email protected]]
> Sent: 08 April 2009 12:20
> To: John Hefferman; [email protected]
> Subject: RE: Aqcuiring a TGT for a host/ principal using Active
> Directory
>
> Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options.
>
> e.g.
> - Ktpass args: -princ host/computera.f...@realm -mapuser computerA
> -pass +rndPass "-ptype KRB5_NT_PRINCIPAL -out computerA.keytab
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf
> Of John Hefferman
> Sent: 08 April 2009 15:23
> To: [email protected]
> Subject: Aqcuiring a TGT for a host/ principal using Active Directory
>
> Dear All,
>
> I'm not sure if this is the correct place to ask this question - it
> involves the MIT kinit program, but also Active Directory as the KDC
> (Server 2008).
>
> The problem I am experiencing, is that I can't seem to 'kinit -k' using
> an spn of an instance type such as host/ when using an AD domain
> controller.
>
> The procedure is as follows:
> - I create a new account in active directory, such as 'computerA'
> - I run ktpass (or msktutil) to associate a host/ principal name with
> this account (host/computera.f...@realm) and create a keytab
> - I securely transfer this keytab to the Linux computer (if msktutil was
> not used)
> - I run kinit -kt computerA.keytab host/computera.f...@realm
>
> Kinit returns: kinit(v5): Client not found in Kerberos database while
> getting initial credentials
>
> Some additional information:
>
> - Ktpass args: -princ host/computera.f...@realm -mapuser computerA
> -pass +rndPass -out computerA.keytab
>
> - Name specified through -princ argument is definitely associated with
> computerA (checked in computerA's attribute list
>
> - kvno works against host/computera.f...@realm
>
> - computerA.keytab contains key and principal name specified through
> -princ
>
> - when kinit -k host/computera.f...@realm is executed, Active Directory
> event viewer logs (on the Domain Controller) shows the 'Account Name'
> that is attempting to acquire the TGT as 'host', instead of
> host/....@... It appears to omit anything that comes after the forward
> slash.
>
> - I've tried ktpass with all encryption types - same result.
>
> - Same result with user or computer objects in AD.
>
> - Same result when both -ptype's are specified when running ktpass
>
> Just wondering if anyone had had any experience with TGT acquisition and
> principal names containing forward slashes. No problem if this is the
> wrong place to ask. Maybe it's not even possible to do this with AD, but
> I doubt that's the case.
>
> Thanks in advance for any help,
>
> John
>
>
>
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
