[28903] in Kerberos
RE: AD 2003; MS's ktpass made account corrupted
daemon@ATHENA.MIT.EDU (Henoc)
Thu Dec 13 03:33:12 2007
From: "Henoc" <henoc@gbconcept.com>
To: "'Douglas E. Engert'" <deengert@anl.gov>
In-Reply-To: <4760433A.80803@anl.gov>
Date: Thu, 13 Dec 2007 09:32:59 +0100
Message-ID: <00bc01c83d62$c4cda540$4e68efc0$@com>
MIME-Version: 1.0
Content-Language: fr
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thanks Douglas for your help.
Just one thing to make clear for me (I'm not a Kerberos specialist so I
would like to be sure ) :
So I got my computer WWWSRVHOST joined to my domain
It has most of the time these spn already made by AD :
HOST/WWWSRVHOST@FQDN.com
My goal is :
- (1) - to add a HTTP/WWWSRVHOST@FDN.com SPN to my computer's entry
- (2) - then to produce the corresponding Keytab file
So to reach this :
a)- under a unix box or via cygwin on the same windows I have to install
mskutil (didn't succeed finding a windows version )
b)- emit these kind of command line : (not that the computer pre-exist in
the domain; in most of my client environment it is a windows box on which I
have to install my stuff)
msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST@FDN.com >
Is that all so simple ?? I can't believe I have been turning around for
decades for something so easy.
Should post this on different forums to avoid this for other people.
I can test before Friday or Monday
If I made some huge mistake in my understanding, please let me know
Thanks again for your help, which was very useful
Sincerely
-----Message d'origine-----
De : Douglas E. Engert [mailto:deengert@anl.gov]
Envoyé : mercredi 12 décembre 2007 21:23
À : Henoc@gbconcept.com
Cc : kerberos@mit.edu
Objet : Re: AD 2003; MS's ktpass made account corrupted
Henoc@gbconcept.com wrote:
> Hi Eeery one.
>
> I'm turning to you to know if you have found a way to deal with the bug
> on windows' ktpass tool :
>
> When used to deliver a keytab it corrompts the account.
ktpass was not intended to be used with computer accounts for
computers joined to the domain. It was intended to be used to add
unix machine principals and create keytabs for non-domain machines.
But see below...
>
> The computer can't any more log on the windows Domain.
When you run ktpass with it will update AD and create a keytab.
The machine that was joined, has the old password stached away,
so it won't match.
>
> You have to delete it's account on the AD side and then rebind it to the
> domain.
>
Yes gets the machine password and the password in AD in sync.
>
> I have tried microsoft so-called corrective; I have been told to go on
SP2;
> all of this wich do exactly the same.
>
>
> -------------------------------
> most accurate entry in the microsoft KB :
>
>> http://support.microsoft.com/kb/939980/en-us
>>> You cannot log on to a Windows Server 2003 domain by using a user
> account after you reset the user account password by using the
> ktpass.exe tool together with the -pass * parameter
>
> in fact not limited to "/pass * " as long as I have tested with "/pass
> mypasswd" it fails also.
>
>
> and also the first problem on microsoft KB was :
>> http://support.microsoft.com/kb/919557/en
>>> You receive pre-authentication errors when you use keytab files that
> are generated by using the Ktpass.exe tool on a Windows Server 2003
> SP1-based computer
>
>
> -------------------------------
>
>
>
> So here is my question :
> Did you succed in creating correct keytab and still not breaking your
> computer's appartnance to his AD domain. ?
> If yes please let me step by step what to do. (AND MOST OF ALL Send me a
> private mail with the binary)
>
> Or is there a alternative to the use of microsoft's ktpass on windows ?
Yes, msktutil. Uses OpenSSL to talk to AD, to add accounts and principals,
and create keytabs. Can handle multiple principals using the same AD
account.
>
>
> PS : I use this style of command line :
>
> */ktpass /out httpSrv.keytab /mapuser WWWSRVHOST /princ
> HTTP//**/WWWSRVHOST/**/@TESTDOMAIN.LOCAL /crypto RC4-HMAC-NT /pass *
> /ptype KRB5_NT_PRINCIPAL/*
Are you using the same AD account for a host principal *AND* a HTTP
principal?
If yes, that is your problem, AD only stores one password per account,
so if you create the keytab for http, the keytab for the host will not
match any more.
Use a different /mapuser account for each.
>
>
>
>
> Thanks
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
