What does this return? kvno -e des-cbc-md5 sapldap/[email protected]
-Christopher -----Original Message----- From: Ray Vand [mailto:[email protected]] Sent: Monday, April 22, 2013 4:46 PM To: Nebergall, Christopher Cc: Benjamin Kaduk; [email protected] Subject: Re: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10 Christopher, Yes, I have. Please see below. # cat krb5.conf libdefaults] default_realm = COMPANY.COM default_keytab_name = /etc/krb5/krb5.keytab default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 allow_weak_crypto = true [realms] COMPANY.COM = { kdc = ads.company.com:88 admin_server = ads.company.com default.domain = COMPANY.COM kpasswd_server = ads.company.com } [domain_realm] .company.com = COMPANY.COM company.com = COMPANY.COM # # kinit -k sapldap/[email protected] kinit(v5): Key table entry not found while getting initial credentials # When I use it without -k option, it works and prompts for password and only takes correct password. klist shows recent date and expiration time. Ray On Apr 22, 2013, at 2:01 PM, "Nebergall, Christopher" <[email protected]> wrote: > Do you need to have allow_weak_crypto = true set in your krb5.conf? > > -Christopher > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Ray Vand > Sent: Monday, April 22, 2013 3:38 PM > To: Benjamin Kaduk > Cc: [email protected] > Subject: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10 > > Ben, > > The space is added when I cut and paste from terminal. I forgot to fix it in > the email. > it prompts for password and it takes it. I even tried wrong password and I > got error. Which mean it is communicating with KDC. > > Also I am using MIT Kerberos version krb5-1.11.1-signed.tar which I download > it from MIT site. > > Ray > > On Apr 22, 2013, at 1:27 PM, Benjamin Kaduk <[email protected]> wrote: > >> [putting the list back in the cc] >> >> On Mon, 22 Apr 2013, Ray Vand wrote: >> >>> Ben, >>> >>> kvno was 9 because I gave a new value in addent command. >>> >>> ktutil: addent -password -p sapldap/[email protected] -k 9 -e >>> DES-CBC-MD5 >> >> Ah, okay. As I said earlier, I don't think this kvno will affect 'kinit >> -k', but is relevant when used as an acceptor. >> >>> I created a new one with kvno 7 and tried it. Still getting initial >>> credentials error. >> >> Right, I wouldn't expect that to change. >> >> Some ways of generating a keytab will increment the kvno on the KDC, which >> will cause problems for existing keytabs; it sounds like that is not what is >> causing this problem. >> >>> ktutil: addent -password -p sapldap/ads.company.com@ COMPANY.COM -k 7 -e >>> DES-CBC-MD5 >>> Password for sapldap/ads.company.com@ COMPANY.COM: >>> ktutil: list >>> slot KVNO Principal >>> ---- ---- >>> --------------------------------------------------------------------- >>> 1 7 sapldap/ads.company.com@ COMPANY.COM >>> ktutil: wkt /tmp/ray.keytab >>> ktutil: q >>> >>> # cp /tmp/ray.keytab /etc/krb5/krb5.keytab >>> >>> # kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company.com@ COMPANY.COM >>> kinit(v5): Key table entry not found while getting initial credentials >> >> I assume the space between '@' and "COMPANY.COM" is introduced while >> transcribing into email? If it is present in the actual command line it may >> cause problems. >> >> You never did say if you are using the Solaris integrated tools or an >> external installation of MIT kerberos. >> >> -Ben > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
