There is a bug in Windows 2008 KDC that prevents any principal name with a "/" in it from authenticating from a non-Windows client.
KB Article Number(s): 951191 This is a public hotfix, but you may need to contact Microsoft to get the hotfix. The hotfix is included in SP2. -Ross -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of manu Sent: Wednesday, April 08, 2009 5:52 AM To: [email protected] Subject: Re: Aqcuiring a TGT for a host/ principal using Active Directory Hello, You can try: kinit -kt computerA.keytab COMPUTERA\$ For principals like host/..., cifs/..., HTTP/... created by default with every computer account, AD only allows TS. If you want a TGT you need to use the "real" principal name: COMPUTERA\$. I don't think the step with ktpass is required. Hoping this will help, Best regards, Emmanuel John Hefferman a écrit : > Dear All, > > I'm not sure if this is the correct place to ask this question - it > involves the MIT kinit program, but also Active Directory as the KDC > (Server 2008). > > The problem I am experiencing, is that I can't seem to 'kinit -k' using > an spn of an instance type such as host/ when using an AD domain > controller. > > The procedure is as follows: > - I create a new account in active directory, such as 'computerA' > - I run ktpass (or msktutil) to associate a host/ principal name with > this account (host/computera.f...@realm) and create a keytab > - I securely transfer this keytab to the Linux computer (if msktutil was > not used) > - I run kinit -kt computerA.keytab host/computera.f...@realm > > Kinit returns: kinit(v5): Client not found in Kerberos database while > getting initial credentials > > Some additional information: > > - Ktpass args: -princ host/computera.f...@realm -mapuser computerA > -pass +rndPass -out computerA.keytab > > - Name specified through -princ argument is definitely associated with > computerA (checked in computerA's attribute list > > - kvno works against host/computera.f...@realm > > - computerA.keytab contains key and principal name specified through > -princ > > - when kinit -k host/computera.f...@realm is executed, Active Directory > event viewer logs (on the Domain Controller) shows the 'Account Name' > that is attempting to acquire the TGT as 'host', instead of > host/....@... It appears to omit anything that comes after the forward > slash. > > - I've tried ktpass with all encryption types - same result. > > - Same result with user or computer objects in AD. > > - Same result when both -ptype's are specified when running ktpass > > Just wondering if anyone had had any experience with TGT acquisition and > principal names containing forward slashes. No problem if this is the > wrong place to ask. Maybe it's not even possible to do this with AD, but > I doubt that's the case. > > Thanks in advance for any help, > > John > > > > > > > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
