[31077] in Kerberos
Re: kerberos tickets and the SPNs
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri May 8 10:41:50 2009
X-Barracuda-Envelope-From: deengert@anl.gov
Message-ID: <4A044454.4050900@anl.gov>
Date: Fri, 08 May 2009 09:40:20 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Ravi Channavajhala <ravi.channavajhala@dciera.com>
In-Reply-To: <73739dc10905072307i7ec2cd2co54dd08f997a8baa5@mail.gmail.com>
Cc: Markus Moeller <huaraz@moeller.plus.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ravi Channavajhala wrote:
> On Fri, May 8, 2009 at 4:26 AM, Markus Moeller <huaraz@moeller.plus.com> wrote:
>
>>> Interesting. This means, I need to have all the SPNs included in the
>>> keytab? Do you see an inherent problem with deleting the existing
>>> SPNs on windows KDC and adding only one SPN of the form host/fqdn and
>>> generating the keytab?
>>>
>> The best would be to have one entry in AD with the host/fqdn syntax. If you
>> have clients requesting HOST/fqdn just use the above method to add a second
>> entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
>> way as it is case insensitive, so no need to add a second entry to AD.
>
> I deleted the computer object in AD, waited for the replication to
> complete and then re-added the AD object. Now the SPN appears as
>
Note that the MS documentation says to add a "user" account, not a "computer"
account. (Sounds counterintuitive...)
http://technet.microsoft.com/en-us/library/bb742433.aspx
To configure the UNIX hosts
Use the Active Directory Management tool to create a new user account for the UNIX host:
Select the Users folder, right-click and select New, then choose user.
Type the name of the UNIX host.
(Last line is pick a unique name in the forest for the account, i.e. uses as
SamAccountName (without the $) so must be 19 characters. Use some convention,
like host-name-dept where is h short for host, name is the simple host name,
and dept. (We have department DNS domains, but the AD is is site wide.)
The ktpass then *ADDS* the SPN to the user account using the -principal option.
I am pretty sure if you create a "computer" account, the SPN gets added
during account creation, and that is why you are seeing the uppercase HOST.
> host/host.fqdn
>
> Which is good. I ran the ktpass to generate the new keys for this
> host using the SPN created with the correct realm. Now, when Solaris
> is trying to authenticate a AD user, I still get the server not found
> in kerberos database, modifying the keytab manually with ktutil on
> solaris gives me PAM-KRB5 (auth) the key table entry not found. If it
> is of any academic value, in the -mapuser switch I used is an ordinary
> AD user (not even a service account) whose name is same as the
> computer name.
The ktpass -mapuser user refers to the account created to hold the
principal, above not a real user.
One is cn=users, the other cn=computers, so I dont
It does not matter where it is located, but follow some convention,
lie create a cn=Unix and you can have Unix admins given rights to add
accounts to this subtree.
> believe this could be the problem. For the kicks, I created another
> user whose name is not the same as the host and tried...no luck. So
> having distinct SPN, UPNs also didnt work.
>
> As a last desperate measure, is there any elegant way to examine the
> kerberos database to see if a sticky reference to the host principal
> is lingering around and forcibly delete it? This is really getting a
> bit vexing
You could use ldapsearch and filter for "(serviceprincipalname=host/fqdn)"
or "(dnshostname=fqdn)"
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
