[31222] in Kerberos
Re: second keytab for similar service (but different SPN/IP) breaks
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jun 3 13:59:05 2009
Message-ID: <4A26B9D1.2070202@anl.gov>
Date: Wed, 03 Jun 2009 12:58:41 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Chris <chriscorbell@gmail.com>
In-Reply-To: <9d01f95a-aefe-4b83-a9e4-ec34602468c4@s28g2000vbp.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Chris wrote:
> This is perhaps a little higher-level problem than Kerberos proper but
> I wanted to at least see if I was taking the correct approach as far
> as Kerberos is concerned.
>
> I have a service - it's a kerberized java webservice with a very
> specific function, and it does GSSAPI validation of client login
> requests, where the clients have obtained tickets to my service. It's
> working fine with either Microsoft AD or Apple Open Directory (MIT
> Kerberos) - basically I create an account for the service, create an
> SPN in the form servicename/ip-address@REALM, and then generate a
> keytab for the SPN which gets configured for JAAS on the service host
> machine.
ip-address? or hostname? Kerberos normally uses hostnames.
>
> What I can't seem to do with this approach is to generate keytabs for
> two service instances in the same realm, e.g. if two different
> departments each want their own deployment of my service. With the
> keytab tools included in both Microsfot AD and Apple Open Directory
> (MIT), just generating an additional keytab for a different SPN (but
> the same directory service account) breaks the authentication of the
> first one.
Use two different directory service accounts, one for each instance.
Follow some pattern for the account name like foo-host.
There is only one password on the account and it is used to generate
the key for all SPNs on the account.
>
> In step-by-step terms:
> - my service is called "fooservice", I create and AD or OD account
> called "fooservice"
> - I add an SPN for fooservice using this name plus the IP address and
> realm, e.g. "fooservice/ip-addr-1@REALM"
> - I generate a keytab for this SPN and add it to fooservice running on
> ip-addr-1; everything is working, clients can authenticate
> - I add another SPN for fooservice because I want to run another
> fooservice on a different machine, "fooservice/ip-addr-2@REALM"
> - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
> stops working (can no longer establish its own credentials based on
> keytab, & therefore can't accept client contexts). It seems to be
> actually generating the keytab file - not just adding an additional
> SPN - that does this. However I can at this point use the new keytab
> for the fooservice running on ip-addr-2.
>
> So it seems that with both Active Directory's Kerberos and Open
> Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> kerberized on different IP addresses against distinct SPN's associated
> with the same service account... but there are numerous examples on
> the web of this being done e.g. with a single "http" account and
> multiple "http/ip-addr..." SPN's for multiple web servers on your
> network.
>
> Am I right in thinking what I'm trying should be possible, and if so
> is there some nuance of generating the keytab that I'm not following
> that causes the first keytab to stop working?
>
> Many thanks.
> - Chris
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
