thr3ads.net - samba - [Samba] Samba-generated keytab fails with kinit [Oct 2012]

If this information is useful, please help other people find it:
Share via:

1983-01-06 at gmx.net

2012-Oct-12 14:17 UTC

[Samba] Samba-generated keytab fails with kinit

Hi,

I have joined a HP-UX server to a Windows Server 2003 domain. Join and keytab
creation were successful.

The keytab entries look like this:

$ klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 host/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with
RSA-MD5)
   2 host/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 host/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 host/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 host/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with
RSA-MD5)
   2 cifs/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 cifs/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 cifs/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 cifs/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOSTNAME$@SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 HOSTNAME$@SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOST/hostname at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOST/hostname at SUB.COMPANY.NET (DES cbc mode with RSA-MD5)
   2 HOST/hostname at SUB.COMPANY.NET (ArcFour with HMAC/md5)
   2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with CRC-32)
   2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (DES cbc mode with
RSA-MD5)
   2 HOST/hostname.sub.company.net at SUB.COMPANY.NET (ArcFour with HMAC/md5)

Now, when I issue a kinit -k it fails with:
kinit(v5): Client not found in Kerberos database while getting initial
credentials

This is obviously correct since kinit uses the first entry to authenticate and
the KDC knows the UPN HOSTNAME$@SUB.COMPANY.NET only.

So, is this order correct? Shouldn't the real UPN be the first entry?
What will happen when I will use a C-based GSS client acquiring default
credential (GSS_C_NO_CREDENTIAL) with the keytab? Will it pick up the correct
entry?

My system:
bash $ uname -a
HP-UX hostname B.11.31 U ia64 1788107473 unlimited-user license
bash $ net --version
Version 3.4.3 based HP CIFS Server A.03.01.05

Thanks,

Michael

Possibly Parallel Threads

Search for more apparently analagous threads

samba - Oct 2012 - Samba-generated keytab fails with kinit

[Samba] Samba-generated keytab fails with kinit

Possibly Parallel Threads

Wisdom of the Ancients