|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: kerberos@mit.edu From: "Markus Moeller" <huaraz@moeller.plus.com> Date: Mon, 30 Mar 2009 20:57:02 +0100 Message-ID: <gqr86k$i4q$1@ger.gmane.org> Mime-Version: 1.0 X-Complaints-To: usenet@ger.gmane.org In-Reply-To: <49D0EE12.2070907@realityfailure.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu "John Jasen" <jjasen@realityfailure.org> wrote in message news:49D0EE12.2070907@realityfailure.org... > > Please forgive me if this is not the right venue. > > I seem to have not found the magic required to use kerberos service > principal names on unix systems against an Active Directory server. > > In the one particular example, we're trying to use kerberized NFS, so > the server daemon needs to be able to find nfs/fqdn@REALM. > > I can see the entries in the computer accounts servicePrincipalName > field, but the various UNIX systems can't find them -- either on service > initialization, or attempting kinit from commandline with the system > keytab. > > IE: > > klist -ke /etc/krb5.keytab | grep host > > 2 host/kernelpanic.example.com@EXAMPLE.REALM (DES cbc mode with CRC-32) > > [root@kernelpanic ~]# kinit host/kernelpanic.example.com -kt > /etc/krb5.keytab > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > (same results if I do host/kernelpanic.example.com@EXAMPLE.REALM) > > This behavior holds true for OS X kerberos clients, Red Hat 4 and 5 > kerberos clients, and Solaris 10 kerberos clients. I can provide the > versions if required. > > The AD server in question is Windows 2003 R2. > > The only way I've found around this is to set the userPrincipalName in > AD to the service I really really need. > > ie: in the case above, userPrincipalName is set to > nfs/kernelpanic.example.com@EXAMPLE.REALM. After doing that, I can kinit > that service principal successfully, and the service dependent on it can > also initialize correctly. > >>From my testing, using ktpass.exe to write a keytab file seems to pretty > much automatically set the userPrincipalName to the last entry created. > Unfortunately, if you have a multi-role server, this creates > difficulties. (ie: trying to use http/hostname and sql/hostname). > > Is there a way around this that I've missed? An option either on the > client side or the server side that I've missed? > You might want to use a tool like msktutil from Dan Perry http://dag.wieers.com/rpm/packages/msktutil/ to create your AD entry and keytab. 1) kinit administrator@DOMAIN ( or an account which has access to a newly created OU (e.g. OU=UnixKerberos). You need to replace below CN=COMPUTERS with OU=UnixKerberos) 2) msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k /etc/krb5.keytab --computer-name <host>-host --upn host/<fqdn> --server <domain controller> --verbose 3) msktutil -c -b "CN=COMPUTERS" -s nfs/<fqdn> -h <fqdn> -k /etc/krb5.keytab --computer-name <host>-nfs --upn nfs/<fqdn> --server <domain controller> --verbose Regards Markus > -- > -- John E. Jasen (jjasen@realityfailure.org) > -- No one will sorrow for me when I die, because those who would > -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |