[31063] in Kerberos
Re: kerberos tickets and the SPNs
daemon@ATHENA.MIT.EDU (Ravi Channavajhala)
Wed May 6 15:57:49 2009
MIME-Version: 1.0
In-Reply-To: <4A01E5FD.5030107@anl.gov>
Date: Thu, 7 May 2009 01:27:22 +0530
Message-ID: <73739dc10905061257y2d872683xcebe0a54e7b0ed89@mail.gmail.com>
From: Ravi Channavajhala <ravi.channavajhala@dciera.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, May 7, 2009 at 1:03 AM, Douglas E. Engert <deengert@anl.gov> wrote:
>
> Windows treats principal names as case insensitive.
> Kerberos treats them as case sensitive.
>
> Normally Kerberos host/hostname@REALM has "host" in lower case.
> So why is Samba net ADS join is using upper case is not clear.
Just to be sure, I did delete the computer object from AD and
re-creatd it from net ads, the SPNs appear again in the same way.
> If the net ads join adds the SPN in uppercase, then the ktpass
> with lower case, it will work, as windows is case insensitive
> and the SPN already exists.
>
> You could try changing the SPN to lower case.
I might as well add new SPNs with spnset -A option
>> HOST/HOSTNAME
>>
>> HOST/hostname.domain.com (FQDN)
>>
>
> So you have two accounts with the same SPN? (differing by case only?)
> Or did you remove the net ads join created entry first?
yeah but they are two different objects, one is a computer and the
other is a user. In the above case the two SPNs are for the computer
object only as indicated by the host. The SPN for user object appears
typically DOMAIN\USERNAME
>> I then ftped this file over to Solaris host and try to authenticate a user
>> login via AD, I get
>>
>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
>> database
>>
>
> Could be the case issue. krb5 is looking for "host"
Looks like it, as I get different error messages depending on how I
specify the ktpass -princ with either host or HOST.
>> Running PAM in debug mode didn't reveal anything specific other than the
>> obvious.
>
> Wireshark could be used to see the network traffic between server and KDC.
> This sounds like a case issue...
It sure is, but my problem is how to avoid manual work in case if
future server base is being built and I have to do a monkey boy's job
of checking SPNs and adding/removing... there must be a way out of
this. I got oodles of ldap traffic captured with snoop, which I will
look further.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
