3

I am writing a pGina plugin to get AFS Tokens and a Kerberos TGT from our kdcs at login, while writing I noticed a 'feature' of kinit being that it wont let you provide any input unless its from the keyboard, there went my idea of just redirecting the standard input...

Someone suggested using a keytab file for the principal, which seemed super easy, until I realised I'd only used kutil on linux and that the windows (apparently) version ktpass sucks haaard. I have tried repeatedly with a large number of combinations of arguments to create a keytab but have had absolutely no success so far, the current command I am issuing is

ktpass /out key.tab /mapuser user$@MERP.EDU /princ user.merp.edu@MERP.EDU /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass mahpasswordlol /target MERP.EDU

Unfortunately all this outputs is

Using legacy password setting method

FAIL: ldap_bind_s failed: 0x31

Which according to my research is a authentication/crypto problem, I have tried it with the other DES settings but this also doesn't seem to work... anyone have any experience/ideas on how this might work?

rolands
  • 161
  • 5
  • For the record, the return code `0x31` from `ldap_bind_s` corresponds to `LDAP_INVALID_CREDENTIALS`. https://msdn.microsoft.com/en-us/library/aa367014(v=vs.85).aspx – Ryan Ries Aug 13 '15 at 13:43

1 Answers1

2

In the windows environment , you have to run the command as the user specified in the ktpass command. runas /user:domain\username cmd.exe The user also has to have administrative privileges.

PJ Media
  • 21
  • 3