[31225] in Kerberos
Re: second keytab for similar service (but different SPN/IP) breaks
daemon@ATHENA.MIT.EDU (misa416@gmail.com)
Thu Jun 4 12:47:50 2009
From: misa416@gmail.com
Date: Thu, 4 Jun 2009 06:10:55 -0700 (PDT)
Message-ID: <401128fc-934d-4cdd-b3e5-00c1ea0c6a87@b1g2000vbc.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Jun 3, 1:58 pm, "Douglas E. Engert" <deeng...@anl.gov> wrote:
> Chris wrote:
> > This is perhaps a little higher-level problem than Kerberos proper but
> > I wanted to at least see if I was taking the correct approach as far
> > as Kerberos is concerned.
>
> > I have a service - it's a kerberized java webservice with a very
> > specific function, and it does GSSAPI validation of client login
> > requests, where the clients have obtained tickets to my service. It's
> > working fine with either Microsoft AD or Apple Open Directory (MIT
> > Kerberos) - basically I create an account for the service, create an
> > SPN in the form servicename/ip-address@REALM, and then generate a
> > keytab for the SPN which gets configured for JAAS on the service host
> > machine.
>
> ip-address? or hostname? Kerberos normally uses hostnames.
>
>
>
> > What I can't seem to do with this approach is to generate keytabs for
> > two service instances in the same realm, e.g. if two different
> > departments each want their own deployment of my service. With the
> > keytab tools included in both Microsfot AD and Apple Open Directory
> > (MIT), just generating an additional keytab for a different SPN (but
> > the same directory service account) breaks the authentication of the
> > first one.
>
> Use two different directory service accounts, one for each instance.
> Follow some pattern for the account name like foo-host.
>
> There is only one password on the account and it is used to generate
> the key for all SPNs on the account.
>
>
>
>
>
>
>
> > In step-by-step terms:
> > - my service is called "fooservice", I create and AD or OD account
> > called "fooservice"
> > - I add an SPN for fooservice using this name plus the IP address and
> > realm, e.g. "fooservice/ip-addr-1@REALM"
> > - I generate a keytab for this SPN and add it to fooservice running on
> > ip-addr-1; everything is working, clients can authenticate
> > - I add another SPN for fooservice because I want to run another
> > fooservice on a different machine, "fooservice/ip-addr-2@REALM"
> > - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
> > stops working (can no longer establish its own credentials based on
> > keytab, & therefore can't accept client contexts). It seems to be
> > actually generating the keytab file - not just adding an additional
> > SPN - that does this. However I can at this point use the new keytab
> > for the fooservice running on ip-addr-2.
>
> > So it seems that with both Active Directory's Kerberos and Open
> > Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> > kerberized on different IP addresses against distinct SPN's associated
> > with the same service account... but there are numerous examples on
> > the web of this being done e.g. with a single "http" account and
> > multiple "http/ip-addr..." SPN's for multiple web servers on your
> > network.
>
> > Am I right in thinking what I'm trying should be possible, and if so
> > is there some nuance of generating the keytab that I'm not following
> > that causes the first keytab to stop working?
>
> > Many thanks.
> > - Chris
> > ________________________________________________
> > Kerberos mailing list Kerbe...@mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Douglas E. Engert <DEEng...@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444- Hide quoted text -
>
> - Show quoted text -
Chris you can associate multiple SPNs with a single service account.
Try merging your keytabs:
ktpass -princ fooservice/ip-addr-1@REALM -pass p@ssw0rd -mapuser
fooservice -out krb1.keytab
ktpass -princ fooservice/ip-addr-2@REALM -pass p@ssw0rd -mapuser
fooservice -in krb1.keytab -out krb2.keytab
Hope this helps.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
