[Samba] Samba-generated keytab fails with kinit
1983-01-06 at gmx.net
1983-01-06 at gmx.net
Fri Oct 12 08:17:11 MDT 2012
Hi,
I have joined a HP-UX server to a Windows Server 2003 domain. Join and keytab creation were successful.
The keytab entries look like this:
$ klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 host/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 host/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
2 host/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 host/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 host/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
2 cifs/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 cifs/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 cifs/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 HOSTNAME$@SUB.COMPANY.NET (ArcFour with HMAC/md5)
2 HOST/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 HOST/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 HOST/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
Now, when I issue a kinit -k it fails with:
kinit(v5): Client not found in Kerberos database while getting initial credentials
This is obviously correct since kinit uses the first entry to authenticate and the KDC knows the UPN HOSTNAME$@SUB.COMPANY.NET only.
So, is this order correct? Shouldn't the real UPN be the first entry?
What will happen when I will use a C-based GSS client acquiring default credential (GSS_C_NO_CREDENTIAL) with the keytab? Will it pick up the correct entry?
My system:
bash $ uname -a
HP-UX hostname B.11.31 U ia64 1788107473 unlimited-user license
bash $ net --version
Version 3.4.3 based HP CIFS Server A.03.01.05
Thanks,
Michael
More information about the samba
mailing list