On Fri, Aug 31, 2012 at 2:36 PM, Booker Bense <[email protected]> wrote: > > > The "best" way to create a keytab is to randomize the password and use > kadmin > to extract the keytab. > > If you have a heimdal kdc, you can extract the keytab w/o changing the > password. > The last time I looked the MIT code essentially randomized the > password and updated > the key when you created a keytab via the kadmin interface. > > If you have the MIT version of the ktutil command, you can use that to > create a keytab > if you know the password. However, you have to also know the key version > number > as well. ( kadmin should tell you this ) > > ktutil is kind of a weird interface, the command you want is add_entry. > > Exactly what you do depends if you need to keep the password for use > by humans or not. > > Once you have a keytab, k5start should allow you to do all the things you > need. > > I thought I created the keytab correctly, but it doesn't seem to work...
I have no idea how to tell what kind of kerberos we use. I think it is MIT but I am unsure. which ktutil which ktutil /usr/bin/ktutil sh-4.1$ rpm -qf /usr/bin/ktutil krb5-workstation-1.9-33.el6_3.2.x86_64 ktutil: addent -password -p [email protected] -k 1 -e aes256-cts (type password here) ktutil: write_kt /afs/unity.ncsu.edu/users/g/gsgatlin/engrranger.ktb /usr/local/bin/k5start -U -f /afs/ unity.ncsu.edu/users/g/gsgatlin/engrranger.ktb Kerberos initialization for [email protected] k5start: error getting credentials: Client '[email protected]' not found in Kerberos database Does this error indicate the account is not there? I was able to test the password of engrranger via klog, eg: pagsh klog engrranger Password: sh-4.1$ tokens Tokens held by the Cache Manager: User's (AFS ID 38) tokens for [email protected] [Expires Sep 1 17:07] --End of list-- Jack, we use kerberos 5 at this site, correct? Anyone know what I am doing wrong?
