[31443] in Kerberos
Re: msktutil problem with Windows 2008
daemon@ATHENA.MIT.EDU (Markus Moeller)
Wed Sep 2 09:37:57 2009
From: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <mailman.35.1251548728.12456.kerberos@mit.edu>
Date: Wed, 2 Sep 2009 06:40:49 +0100
MIME-Version: 1.0
Message-ID: <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I found the problem with msktutil. It uses the wrong salt. For a computer
name with uppercase parts (e.g. squid-HTTP) it uses
DOM.LOCALhostsquid-HTTP.dom.local as salt instead of
DOM.LOCALhostsquid-http.dom.local.
Markus
"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:mailman.35.1251548728.12456.kerberos@mit.edu...
> Is it possible that Windows 2008 is maping HTTP principal to host
> principals ?
>
> With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my
> apache/squid module created an error "Decrypt integrity check failed" and
> a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt
> /etc/host.keytab host/fqdn works.
>
> When I remove the AD entry which msktutil created for HTTP/fqdn and leave
> the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn. Now
> I used ktutil to create a HTTP keytab
>
> # ktutil
> ktutil: addent -key -p HTTP/centos.dom.local@DOM.LOCAL -k 2 -e
> aes256-cts-hmac-sha1-96
> Key for HTTP/centos.dom.local@DOM.LOCAL (hex):
> 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
> ktutil: wkt /etc/HTTP.keytab
> ktutil: quit
>
> I can use the HTTP. keytab with kinit and I can also use it now for
> apache/squid.
>
> It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a
> request for host/fqdn and ignores entries with a serviceprincipal set to
> HTTP/fqdn.
>
> Can anybody confirm that ? Oe what do I do wrong ?
>
> Thank you
> Markus
>
> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
> news:h7b5a5$tb0$1@ger.gmane.org...
>>I was too quick. I get it to work with host/fqdn (e.g. kinit -kt
>> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use
>> AES-256 CTS mode with 96-bit SHA-1 HMAC.
>>
>> klist -ekt /etc/krb5.keytab
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp Principal
>> ---- ----------------- --------------------------------------------------------
>> 3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (ArcFour with
>> HMAC/md5)
>> 3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
>> with 96-bit SHA-1 HMAC)
>> 3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
>> with 96-bit SHA-1 HMAC)
>>
>> klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: host/centos.dom.local@DOM.LOCAL
>>
>> Valid starting Expires Service principal
>> 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL@DOM.LOCAL
>> renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode
>> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>>
>>
>>
>> klist -ekt /etc/HTTP.keytab
>> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
>> KVNO Timestamp Principal
>> ---- ----------------- --------------------------------------------------------
>> 2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (ArcFour with
>> HMAC/md5)
>> 2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
>> with 96-bit SHA-1 HMAC)
>> 2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
>> with 96-bit SHA-1 HMAC)
>>
>>
>> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
>> kinit(v5): Preauthentication failed while getting initial credentials
>>
>> Markus
>>
>>
>> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
>> news:CF5A795E7B16440FA314ED54D5645C0B@VAIOLaptop...
>>> Wolf-Agathon,
>>>
>>> I did export the keytab, but I found out the Hotfix 951191 was not
>>> installed on the 2008 DC.
>>>
>>> Markus
>>>
>>> ----- Original Message -----
>>> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon@arcor.de>
>>> To: <huaraz@moeller.plus.com>; <kerberos@mit.edu>
>>> Sent: Saturday, August 29, 2009 11:27 AM
>>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows
>>> 2008
>>>
>>>
>>>> Howdy Markus
>>>>
>>>> Sound to me that you're trying to use a kaytab without expoting the key
>>>> to
>>>> your keytab file test.keytab
>>>>
>>>> am I right ?
>>>>
>>>> cheers
>>>> Wolf-Agathon
>>>>
>>>>
>>>> ----- Original Nachricht ----
>>>> Von: Markus Moeller <huaraz@moeller.plus.com>
>>>> An: kerberos@mit.edu
>>>> Datum: 29.08.2009 00:07
>>>> Betreff: msktutil problem with Windows 2008
>>>>
>>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>>>> 2008,
>>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need
>>>>> to
>>>>> be
>>>>>
>>>>> changed ?
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>>
>>>>> ________________________________________________
>>>>> Kerberos mailing list Kerberos@mit.edu
>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
