When you configure an i5/OS system to participate in Kerberos, the wizard asks you for a password. You can type anything you want for this password REGARDLESS of of the pwdlvl setting of i5/OS. This is NOT an i5/OS user profile password, it is a password for a Kerberos service principal -- two completely separate things.

If you chose to have the wizard create a windows .BAT file and you chose to add the password to this file, then you can see exactly what you typed. If not, then a good idea is to "copy" whatever you type into the paste buffer.

One problem lots of folks tend to run into, is that they type a trivial password into the NAS config wizard. When they attempt to create the Windows service principal (via the ktpass command on windows), they get a "password does not match" composition rules for the windows environment. At this point, you have to use a password that meets the windows rules -- but most importantly, you also have to go back and change the password in the keytab file on i5/OS to match whatever new password you provided on the ktpass command in windows.
Patrick Botz
Vice President, Security Consulting
Group8 Security, Inc
Business : 1-775-852-8887
Home/Office: 1-507-285-9048
Mobile : 1-507-250-5644


CONFIDENTIALITY NOTICE: This email message and any attachment to this email message contain information that may be privileged and confidential. This email and any attachments are intended solely for the use of the individual or entity named above (the recipient) and may not be forwarded to or shared with any third party. If you are not the intended recipient and have received this email in error, please notify us by return e-mail or by telephone at 775-852-8887 and delete this message. This notice is automatically appended to each email message leaving Group8 Security, Inc. Thank You.

Mike Cunningham wrote:
I am getting closer to getting this to work between our Windows Kerberos server and i5OS. I think my current problem is related to mixed case passwords. Our Windows domain is setup to require the use of mixed case passwords so when I did the iSeries Navigator Wizard to setup Kerberos I used a mixed case password (e.g. not the real one but something like Kt639hJ). When I issue the command
kinit -k krbsvr400/system.pct.edu@xxxxxxx<mailto:krbsvr400/system.pct.edu@xxxxxxx>
I get an EUVF06016E Password not correct error
If I leave the -k off and issue the command
Kinit krbsvr400/as400adm.pct.edu@xxxxxxx<mailto:krbsvr400/as400adm.pct.edu@xxxxxxx>
And then enter the mixed case password I get a valid ticket issued

Does anyone know for sure if the i5OS half of this process can't deal with mixed case passwords? We do not have long passwords enabled for normal signon and there is nothing in the Kerberos manual that I can find that says mixed case passwords are not allowed

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].