On 3/8/2011 9:19 AM, Rohit Kumar Mehta wrote: > From reading this list, it seems like msktutil is a much better > solution for managing Linux service principles in an AD than using > KTPASS.EXE. However, I seem to be having some difficulties. > > I set up a test AD with the domain TAD.ENGR.UCONN.EDU, and I'm trying to > create some service principles for my test-nfs server. So on my test > Linux server (running Ubuntu Lucid), I downloaded msktutil from git (I > believe version 0.4), compiled, did a kinit > [email protected], and then tried to run msktutil.This > is what I get:
If this is from http://fuhm.net/software/msktutil/ I have not tried it, but it says it is based on this version: http://download.systemimager.org/~finley/msktutil/ Which is what we are using. > > root@test-nfs:~/build/f/msktutil# ./msktutil --precreate --hostname > test-nfs.tad.engr.uconn.edu -s host -s nfs --server 137.99.15.89 --verbose > -- init_password: Wiping the computer password structure > -- get_default_keytab: Obtaining the default keytab name: > FILE:/etc/krb5.keytab > -- create_fake_krb5_conf: Created a fake krb5.conf file: > /tmp/.msktkrb5.conf-mc2Qvi > -- reload: Reloading Kerberos Context > -- get_short_hostname: Determined short hostname: test-nfs > -- finalize_exec: SAM Account Name is: test-nfs$ > -- try_user_creds: Checking if default ticket cache has tickets... > -- finalize_exec: Authenticated using method 4 > > -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=YES > -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=NO > SASL/GSSAPI authentication started > Error: ldap_sasl_interactive_bind_s failed (Local error) > Error: ldap_connect failed > --> Is your kerberos ticket expired? You might try re-"kinit"ing. > -- ~KRB5Context: Destroying Kerberos Context > root@test-nfs:~/build/f/msktutil# > > Looking at wireshark I see a bunch of errors like > KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. It looks like msktutil is trying to > connect get authorized for this service > ldap/test-dc1.tad.engr.uconn.edu. Given that Microsoft Active Directory > provides LDAP. I'm not sure why that is a problem. I have never used the --precreate option. But msktutil will need to be run using a Kerberos ticket for an AD admin, as it needs to update AD. So you need to run kinit before running msktutil. (After a keytab has been created, and you are updaqting the keys, msktutil will try and use it first.) > > Am I doing anything obviously wrong? If so I appreciate any help. Thanks! > > Rohit > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
