I am using Win2k3 as my KDC.
I was using the keytab extracted from Win2k3 ktpass
and it was working fine with my GSS applications. I
have upgraded to Win2k3 SP1 and now when i use ktpass
of Win2k3 SP1 to extract the keytab and use it with my
GSS application, i am getting error on the GSS server
while accepting the context as "Decrypt integrity
check failed".
Can anyone encountered this problem with the keytab
created with win2k3 sp1 ktpass?
Can anyone help me to fix this issue?
Thanks and Regards,
Srini
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
Markus
"Srinivas Cheruku" <srinivas...@yahoo.com> wrote in message
news:200509080721...@web31903.mail.mud.yahoo.com...
I have used the below command to extract the keytab. You can see that i
have specified the enctype correctly. Please let me know whether i need
to specify any other option to ktpass.
ktpass -mapuser us...@xxx.com -princ test/host.x...@XXX.COM +DesOnly
-pass helloworld -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
"c:\krb5.keytab"
I am using the user account and not the computer account.
Thanks,
Srini
Use the KFW kvno.exe <service-principal> command to find out what
kvno the service principal is using. Then include that value in
the ktpass.exe command line with the -kvno <kvno> command line
option.
Jeffrey Altman
Can anyone tell me the changes done to Win2k3 SP1 ktpass when compared
to Win2k3 ktpass while extracting the keytab, since the keytab
extracted from Win2k3 ktpass is working but the one with Win2k3 SP1
ktpass doesn't?
Thanks,
Srini
capture the traffic on port 88 with ethereal and look at the kdc error
reply. If it is a salt issue it will tell you. The other ktpass option you
might want to try is /ptype KRB5_NT_SRV_HST
Regards
Markus
"Srini" <Srinivas...@gmail.com> wrote in message
news:1126592351.8...@f14g2000cwb.googlegroups.com...
here's my (random) notes and how i do windows/MIT key exchange
successfully:
with recent versions of MIT Kerberos it is not neccessary to specify any
special enc-type as it supports MD4 (which is windows default now)
i'm also not specifying the ptype flag to ktpass.
the principal you specify at the ktpass commandline will be added and/or
overwritten in AD.
as username to ktpass, use the login name only from AD.
match the case of username and realm exactly.
with adsi-edit you can then verify the servicePrincipalName or
userPrincipalName that will be added after invoking ktpass.
using ktpass, the AD User will be automagically flagged as DES Only.
import the keys on linux and verify using:
kinit –k –t /path/to/winkrb5.keytab <name>/<fqdn>@<REALM>
this should issue a ticket without entering a password.
i have encountered some troubles with the ticket serial number, to avoid
them, always change the password of the AD User prior exporting with
ktpass, this ensures a current ticket.
furthermore, ensure that the ktpass utility comes from a resource kit
from the same version as the windows OS itself AND also the same
locale.
HTH,
/ karl
Thanks for the information you shared with me.
I have created two user accounts.
Then i have run the ktpass command as show below with appropriate params
for the two new user accounts created
ktpass -mapuser us...@xxx.com -princ sp1acc/host.x...@XXX.COM +DesOnly
-pass helloworld -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
"c:\krb5.keytab"
Now, i have two keys in the /etc/krb5.keytab
1. sp1acc/host.x...@XXX.COM - Keytab extracted with Win2k3 SP1 ktpass
2. nosp1acc/host.x...@XXX.COM - Keytab extracted with Win2k3 ktpass
Please find below the results from kinit
bash-2.03$ ./kinit -k -t /etc/krb5.keytab sp1acc/host.x...@XXX.COM
kinit(v5): Preauthentication failed while getting initial credentials
bash-2.03$
bash-2.03$ ./kinit -k -t /etc/krb5.keytab nosp1acc/host.x...@XXX.COM
bash-2.03$ ./klist
Ticket cache: FILE:/tmp/krb5cc_4001
Default principal: nosp1acc/host.x...@XXX.COM
Valid starting Expires Service principal
09/21/05 10:16:55 09/22/05 06:19:16 krbtgt/XXX...@XXX.COM
renew until 09/22/05 10:16:55
Kerberos 4 ticket cache: /tmp/tkt4001
klist: You have no tickets cached
bash-2.03$
As shown above, I am getting error Preauthentication failed when i try
to kinit for sp1acc/host.x...@XXX.COM, which was extracted using
Win2K3 SP1 ktpass.
Then, i have created an user account and changed password, before
running Win2k3 SP1 ktpass on that account. Now when i do a kinit on this
service principal, i am issued a TGT without Preauthentication failed
error.
Can anyone confirm that while using Win2k3 SP1 ktpass, the user account
password should be changed before running ktpass?
Also, i would appreciate if someone can confirm that this is the bug
with Win2k3 SP1 ktpass which needs changing password before running ktpass.
Thanks,
Srini
Pitrich, Karl wrote:
>>------------------------------------------------------------------------
As you have told i have checked the kvno.
kvno in keytab = 2
kvno in service ticket = 2
There is no difference with the kvno in keytab as well as in the service
ticket.
Before extracting the keytab using Win2k3 SP1 ktpass, i reset the
password of that user account then extract keytab using ktpass. This
keytab is working fine without any errors.
Can you please let me know whether we need to always reset the password
before running Win2k3 SP1 ktpass?
Is this a bug in MS Win2k3 SP1 ktpass?
Did you observe the same behaviour with the keytab extracted with Win2k3
SP1 ktpass?
Thanks,
Srini
Jeffrey Altman wrote:
> Is the correct kvno value being written to the keytab entry?
>
> Use the KFW kvno.exe <service-principal> command to find out what
> kvno the service principal is using. Then include that value in
> the ktpass.exe command line with the -kvno <kvno> command line
> option.
>
> Jeffrey Altman
>
>