[31444] in Kerberos

home help back first fref pref prev next nref lref last post

Re: msktutil problem with Windows 2008

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Sep 2 10:41:13 2009

X-Barracuda-Envelope-From: deengert@anl.gov
Message-ID: <4A9E83DF.6080904@anl.gov>
Date: Wed, 02 Sep 2009 09:40:31 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Markus Moeller <huaraz@moeller.plus.com>
In-Reply-To: <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Markus Moeller wrote:
> I found the problem with msktutil. It uses the wrong salt. For a computer 
> name with uppercase parts (e.g. squid-HTTP) it uses 
> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of 
> DOM.LOCALhostsquid-http.dom.local.

I would like to reword this...

Windows AD appears to generate a salt for computer accounts using the
concatenation of:
    uppercase(domain) "host" lowercase(SAMAccountName) "." lowercase(domain)

But msktutil was using:
    uppercase(domain) "host" SAMAccountName "." lowercase(domain)

So only accounts where the account name had mixed case would this be a problem.
The circumvention is it use msktutil --computername some-lowercase-name
i.e. always use lower case for the computer name.

Windows 2003 does the same thing. All of our computer accounts had been
lowercase, so we never ran across this problem.


> 
> Markus
> 
> 
> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message 
> news:mailman.35.1251548728.12456.kerberos@mit.edu...
>> Is it possible that Windows 2008 is maping HTTP principal to host 
>> principals ?
>>
>> With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my 
>> apache/squid module created an error  "Decrypt integrity check failed" and 
>> a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt 
>> /etc/host.keytab host/fqdn works.
>>
>> When I remove the AD entry which msktutil created for HTTP/fqdn and leave 
>> the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn.  Now 
>> I used ktutil to create a HTTP keytab
>>
>> # ktutil
>> ktutil:  addent -key -p HTTP/centos.dom.local@DOM.LOCAL -k 2 -e 
>> aes256-cts-hmac-sha1-96
>> Key for HTTP/centos.dom.local@DOM.LOCAL (hex): 
>> 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
>> ktutil:  wkt  /etc/HTTP.keytab
>> ktutil:  quit
>>
>> I can use the HTTP. keytab with kinit and I can also use it now for 
>> apache/squid.
>>
>> It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a 
>> request for host/fqdn and ignores entries with a serviceprincipal set to 
>> HTTP/fqdn.
>>
>> Can anybody confirm that ? Oe what do I do wrong ?
>>
>> Thank you
>> Markus
>>
>> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message 
>> news:h7b5a5$tb0$1@ger.gmane.org...
>>> I was too quick. I get it to work with host/fqdn (e.g. kinit -kt
>>> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn.  I use
>>> AES-256 CTS mode with 96-bit SHA-1 HMAC.
>>>
>>> klist -ekt /etc/krb5.keytab
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Timestamp         Principal
>>> ---- ----------------- --------------------------------------------------------
>>>   3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (ArcFour with
>>> HMAC/md5)
>>>   3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>   3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>
>>> klist -e
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: host/centos.dom.local@DOM.LOCAL
>>>
>>> Valid starting     Expires            Service principal
>>> 08/29/09 21:48:32  08/30/09 07:47:42  krbtgt/DOM.LOCAL@DOM.LOCAL
>>>        renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode
>>> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>>>
>>>
>>>
>>> klist -ekt /etc/HTTP.keytab
>>> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
>>> KVNO Timestamp         Principal
>>> ---- ----------------- --------------------------------------------------------
>>>   2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (ArcFour with
>>> HMAC/md5)
>>>   2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>   2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>
>>>
>>> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
>>> kinit(v5): Preauthentication failed while getting initial credentials
>>>
>>> Markus
>>>
>>>
>>> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
>>> news:CF5A795E7B16440FA314ED54D5645C0B@VAIOLaptop...
>>>> Wolf-Agathon,
>>>>
>>>>   I did export the keytab, but I found out the Hotfix 951191 was not
>>>> installed on the 2008 DC.
>>>>
>>>> Markus
>>>>
>>>> ----- Original Message ----- 
>>>> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon@arcor.de>
>>>> To: <huaraz@moeller.plus.com>; <kerberos@mit.edu>
>>>> Sent: Saturday, August 29, 2009 11:27 AM
>>>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 
>>>> 2008
>>>>
>>>>
>>>>> Howdy Markus
>>>>>
>>>>> Sound to me that you're trying to use a kaytab without expoting the key
>>>>> to
>>>>> your keytab file test.keytab
>>>>>
>>>>> am I right ?
>>>>>
>>>>> cheers
>>>>>  Wolf-Agathon
>>>>>
>>>>>
>>>>> ----- Original Nachricht ----
>>>>> Von:     Markus Moeller <huaraz@moeller.plus.com>
>>>>> An:      kerberos@mit.edu
>>>>> Datum:   29.08.2009 00:07
>>>>> Betreff: msktutil problem with Windows 2008
>>>>>
>>>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>>>>> 2008,
>>>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need
>>>>>> to
>>>>>> be
>>>>>>
>>>>>> changed ?
>>>>>>
>>>>>> Thank you
>>>>>> Markus
>>>>>>
>>>>>>
>>>>>> ________________________________________________
>>>>>> Kerberos mailing list           Kerberos@mit.edu
>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos@mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post