[31435] in Kerberos
Re: msktutil problem with Windows 2008
daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon Aug 31 19:04:01 2009
From: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <mailman.43.1251730131.12456.kerberos@mit.edu>
Date: Mon, 31 Aug 2009 21:16:46 +0100
MIME-Version: 1.0
Message-ID: <CcCdnXUAqJV-sgHXnZ2dnUVZ8n6dnZ2d@brightview.co.uk>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Douglas,
I am not sure if you saw my follow up entries. The msktutil command I
used is
msktutil -c -b "CN=COMPUTERS" -s HTTP/<fqdn> -h <fqdn> -k
/etc/HTTP.keytab --computer-name squid-HTTP --upn HTTP/<fqdn> --server
<domain controller> --verbose --enctypes 28
As far as I recall the upn is required for AS requests (e.g. to use kinit)
and the spn is used for TGS (e.g. when you use kvno)
I used it as you described or 2003 for a long time too, but now facing 2008
I noticed this difference (e.g. If AD has two entries: one for host/fqdn -
with upn and spn - and one for HTTP/fqdn - with upn and spn - and a client
requests a HTTP/fqdn TGS or AS the key for host/fqdn is used)
Regards
Markus
"Douglas E. Engert" <deengert@anl.gov> wrote in message
news:mailman.43.1251730131.12456.kerberos@mit.edu...
>
>
>
>
> Markus Moeller wrote:
>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>> 2008, but when I run kinit -kt test.keytab HTTP/fqdn I get
>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to
>> be changed ?
>
> I think AD will search for the UPN of HTTP/fqdn when a TGT is requested
> by kinit.
>
> Do you have any output from msktutil, or any dump of the
> AD entry? The UPN and SPNs would be helpful.
>
> It could be that the UPN of the account is host/fqdn@realm,
> with SPNs of host/fqdn and HTTP/fqdn. When you ran
> msktutil what options did you use?
>
> Is the UPN HTTP/fqdn@realm?
> Did you use the --upn HTTP/fqdn option?
>
> Since AD will let an account have one UPN, with multiple SPNs
> deriving the keys from the same password, msktutil will assume
> multiple principals in a keytab are for the same account.
>
> We always have one principal per account with separate keytabs,
> and use the --upn service/fqdn option too.
>
>>
>> Thank you
>> Markus ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
