Creating a keytab for a Microsoft AD account that is comprehensible to MIT Kerberos (e.g. kinit -k) appears to require heavy wizardry.
I've tried everything I can reasonably think of, but kinit -k always fails with the non-sensical error message "kinit: Key table entry not found while getting initial credentials" strace says that kinit is reading the correct file, and the keytab definitely contains keys for the specified principal. (klist -ke sees the content, wether I use ktutil to create the keytab or Microsoft's KTPASS.EXE has no visible impact) So if anything, kinit might tell me that it received something encrypted with kvno "a" but only found kvnos "b", "c", "d" and "e" for the specified principal in the specified keytab -- but the error message it currently prints when providing the full principal name on the command line just doesn't seem to make sense. I've created user account "[email protected]" in an W2K8 AD and "kinit [email protected]" works fine. Shouldn't kinit be in the perfect position, after having just successfully obtained a TGT for that user, to write out a perfect keytab that will work with "kinit -k" -- or otherwise tell me all necessary details about what I will have to type into tools like ktutil or what to supply to Microsoft's KTPASS.EXE in order to achieve with "kinit -k" what kinit without -k just succeeded doing? In case that anyone happens to know the exact sequence of commands and their command line parameters that I would have to type in order to obtain a working keytab for an ActiveDirectory 2008R2 account that will be usable with MIT Kerberos 1.9.1, I would be glad to know. If I ever manage to get a working configuration (keytab), the clients that should ultimately should be able to connect to the service are WinXP,2003,Vista and Win7, so it should probably be using an arcfour-hmac enctype, I assume. (I will NOT need hostbased service names, in case you're wondering, and I did already call "SETSPN dont/care FOO.CORP\TestService" to allow 1-/2-Token authentications with the TestService account for a post-2000 ActiveDirectory). -Martin PS: my windows administrative expertise is limited. I have setspn.exe, ktpass.exe within reach and know how to run the MMC snap-in "Active Directory - Users and Computers", but know nothing else about AD and LDAP... ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
