ktpass fails to create a service principal (win 2000 server SP4)
Julien Montmartin
I'm working on a kerberized application server and I have some trouble when
I try to generate the keytab with ktpass... Although evrything works nicely
for demo in the lab, it fails in real world !
Here the command I use (windows 2000 server SP4) :
ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/
myComputer.privat...@PRIVATE.MYCOMPAGNIE.COM -mapuser
test...@private.myCompagnie.com -pass xyz -out C:\temp\keytab
Failed to get DN from search result: 0X80070057
Failed to locate user "(samAccountName=test...@private.myCompagnie.com)".
Failed to retrieve user info for test...@private.myCompagnie.com: 0x8ad.
Aborted.
testUser is a brand new user created for the service. Are there any traps
when you create new users in AD ? (I'm a beginner with AD). Any idea or
pointer to investigate this error ?
Thanks,
Julien
Douglas E. Engert
Julien Montmartin wrote:
> Hi List,
>
> I'm working on a kerberized application server and I have some trouble when
> I try to generate the keytab with ktpass... Although evrything works nicely
> for demo in the lab, it fails in real world !
>
> Here the command I use (windows 2000 server SP4) :
>
> ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/
> myComputer.privat...@PRIVATE.MYCOMPAGNIE.COM -mapuser
> test...@private.myCompagnie.com -pass xyz -out C:\temp\keytab
-mapuser testUser
> Failed to get DN from search result: 0X80070057
> Failed to locate user "(samAccountName=test...@private.myCompagnie.com)".
> Failed to retrieve user info for test...@private.myCompagnie.com: 0x8ad.
> Aborted.
>
> testUser is a brand new user created for the service. Are there any traps
> when you create new users in AD ? (I'm a beginner with AD). Any idea or
> pointer to investigate this error ?
>
> Thanks,
>
> Julien
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Julien Montmartin
>
> Julien Montmartin wrote:
>
>> Hi List,
>>
>> I'm working on a kerberized application server and I have some trouble
>> when
>> I try to generate the keytab with ktpass... Although evrything works
>> nicely
>> for demo in the lab, it fails in real world !
>>
>> Here the command I use (windows 2000 server SP4) :
>>
>> ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/
>> myComputer.privat...@PRIVATE.MYCOMPAGNIE.COM -mapuser
>> test...@private.myCompagnie.com -pass xyz -out C:\temp\keytab
>>
>
> -mapuser testUser
>
>
Thanks Douglas, now I get my ketab... But now gss_acquire_cred () fails with
error : "No principal in keytab matches desired name". This is the kind of
code I use :
gss_buffer_desc tmpTok=GSS_C_EMPTY_BUFFER;
tmpTok.value="HT...@myComputer.private.myCompagnie.com";
//tmpTok.value="HTTP@myComputer" -> Doesn't work either
gss_name_t srvName=GSS_C_NO_NAME;
MS=gss_import_name(&ms, &tmpTok, (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&srvName);
MS=gss_acquire_cred(&ms, srvName, GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
GSS_C_ACCEPT, &fCredentials, NULL, NULL);
Well, once again, this code works in the lab so I guess it's not totaly
wrong... How can I know the "desired name" the library is looking for ? When
I generate my keytab, ktpass said "vno = 1" but when I check it on the
server with kvno it says :
"HTTP/myComputer.privat...@PRIVATE.MYCOMPAGNIE.COM: kvno = 0".
Isn't it wrong ? I've also tried with kinit :
kinit -k -t C:\keytab HTTP/myComputer.private.myCompagnie.com@
PRIVATE.MYCOMPAGNIE.COM
It says nothing, but doesn't fail... Any idea ?