samba4 keytab management
Matthieu Patou
mat at samba.org
Fri Sep 3 05:34:00 MDT 2010
On 03/09/2010 09:19, srikumar108 at aol.com wrote:
> Hi Mathieu,
>
> Do you have any more suggestion?
Yes !
>
> I looked at the ssh user through ADUC, and the ssh a/c is not locked
> or expired.
Yeah but we need to be sure that you can get a ticket runas
/user:DOMAIN\user cmd is also an option in windows.
> After getting a new keytab and trying to kinit, I am getting the message:
> kinit: KDC has no support for encryption type while getting initial
> credentials
> From samba.log:
> Kerberos: No client key matching pa-data (aes256-cts-hmac-sha1-96) --
> ssh at MYNET.COM
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well that's obvious: you do not have an AES key for the user, which can
be quite logical.
Do you change the forest/domain level of your samba4 ? if not did you
specified any level information on provision ?
It could be worth to dig this pb but in the short time I suggest to set
this in your /etc/krb5.conf:
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5
des-cbc-crc
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 arcfour-hmac des-cbc-md5
des-cbc-crc
in the [libdefaults] section
Then retry your kinit.
In case I forget to tell you: I retried this week ktpass.sh and it just
works on my setup, I was able to generate keytabs for the http kerberos
authentification so if you have a pb it's either because you didn't type
the password correctly or because the problem is somewhere else.
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list