[Samba] Samba-generated keytab fails with kinit

1983-01-06 at gmx.net 1983-01-06 at gmx.net
Fri Oct 12 08:17:11 MDT 2012 

Hi,

I have joined a HP-UX server to a Windows Server 2003 domain. Join and keytab creation were successful.

The keytab entries look like this:

$ klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 host/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 host/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 host/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 host/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 host/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 cifs/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 cifs/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 cifs/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 HOSTNAME$@SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOST/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOST/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 HOST/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)

Now, when I issue a kinit -k it fails with:
kinit(v5): Client not found in Kerberos database while getting initial credentials

This is obviously correct since kinit uses the first entry to authenticate and the KDC knows the UPN HOSTNAME$@SUB.COMPANY.NET only.

So, is this order correct? Shouldn't the real UPN be the first entry?
What will happen when I will use a C-based GSS client acquiring default credential (GSS_C_NO_CREDENTIAL) with the keytab? Will it pick up the correct entry?

My system:
bash $ uname -a
HP-UX hostname B.11.31 U ia64 1788107473 unlimited-user license
bash $ net --version
Version 3.4.3 based HP CIFS Server A.03.01.05

Thanks,

Michael

More information about the samba mailing list