From reading this list, it seems like msktutil is a much better solution for managing Linux service principles in an AD than using KTPASS.EXE. However, I seem to be having some difficulties.
I set up a test AD with the domain TAD.ENGR.UCONN.EDU, and I'm trying to create some service principles for my test-nfs server. So on my test Linux server (running Ubuntu Lucid), I downloaded msktutil from git (I believe version 0.4), compiled, did a kinit [email protected], and then tried to run msktutil. This is what I get: root@test-nfs:~/build/f/msktutil# ./msktutil --precreate --hostname test-nfs.tad.engr.uconn.edu -s host -s nfs --server 137.99.15.89 --verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-mc2Qvi -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: test-nfs -- finalize_exec: SAM Account Name is: test-nfs$ -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=YES -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=NO SASL/GSSAPI authentication started Error: ldap_sasl_interactive_bind_s failed (Local error) Error: ldap_connect failed --> Is your kerberos ticket expired? You might try re-"kinit"ing. -- ~KRB5Context: Destroying Kerberos Context root@test-nfs:~/build/f/msktutil# Looking at wireshark I see a bunch of errors like KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. It looks like msktutil is trying to connect get authorized for this service ldap/test-dc1.tad.engr.uconn.edu. Given that Microsoft Active Directory provides LDAP. I'm not sure why that is a problem. Am I doing anything obviously wrong? If so I appreciate any help. Thanks! Rohit -- Rohit Mehta Computer Engineer University of Connecticut Engineering Computing Services 371 Fairfield Road Unit 2031 Storrs, CT 06269-2031 Office: (860) 486 - 2331 Fax: (860) 486 - 1273 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
