Re: gss-client error

"lizhong" <lizhong@xxxxxxxxxx> writes:
SGkgYWxsLA0KICAgIEkgYW0gdXNpbmcgZ3NzLWNsaWVudCB0byBjb25uZWN0IHRvIG15IGdzcy1z
ZXJ2ZXIuSSBoYXZlIDMgbGludXggbWFjaGluZXMgLG1hY2hpbmUgQSBpcyBydW5uaW5nIGtkYyxt
YWNoaW5lIEIgaXMgcnVubmluZyBnc3Mtc2VydmVyLGFuZCBtYWNoaW5lIEMgaXMgcnVubmluZyBn
c3MtY2xpZW50Lg0KICAgIEkgaGF2ZSBjcmVhdGVkIHRlc3QvZ2Nub2RlMDI5QHRlc3QuY29tIGZv
....

which contains this:
....
[root@gcnode029 gss-sample]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 test/gcnode029@xxxxxxxx
....
[root@gcnode026 gss-sample]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 test/gcnode029@xxxxxxxx
....

Looks to me like you extracted the same principal on 2 machines. When
you extracted the 2nd keytab, you rendered the 1st useless. From your
accompanying description, it sounds like you observed different
behavior - but that may be due to doing part of your testing before you
extracted the 2nd keytab. Tickets you got for the principal before you
extracted the newer keytab would have worked against a server using the
older keytab. The kvno is also larger than the usual initial default -
you must have created other keytabs or otherwise reset the key extra
times before you did this round of testing.

In general, if you want to use the same principal on more than one
machine, copy it externally, don't extract it again. Better yet, use a
different principal for each machine. You generally extract a new
keytab from the kdc when you intend old keytabs to no longer work. You
can use ktutil to merge the old & new together if you intend to issue
new service keys but also want to honor outstanding tickets until they
expire.

It is usually better to include fully qualified host names in principal
names. If your environment is large enough, somebody on the other side
of campus will want to create a "gcnode029" machine as well.

-Marcus
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: Win2k3 SP1 ktpass problem.
    ... I have used the below command to extract the keytab. ... to specify any other option to ktpass. ... >> and it was working fine with my GSS applications. ...
    (comp.protocols.kerberos)
  • Re: Creating an MIT style keytab for an existing Windows AD member computer
    ... a windows computer that is already a member of an active directory ... who uses a Windows workstation that is part the Active ... keytab for the host/pingname.of.host@xxxxxxxxxxxxxxxxxxx ... can extract the keytab somehow. ...
    (comp.protocols.kerberos)
  • Re: Creation of principal without password
    ... Fariba wrote: ... You can create a principal with a random key by using the ... then extract this to a keytab, and use the keytab to authorise the user. ...
    (comp.protocols.kerberos)
  • Extracting matrix elements
    ... I am new to matlab and am trying to extract a 2D matrix from a 5D matrix. ... I intend to do further operations in the innermost loop. ...
    (comp.soft-sys.matlab)