[31356] in Kerberos
Re: Kerberos auth against AD, keytabs, and service principal names
daemon@ATHENA.MIT.EDU (Wolfgang)
Tue Aug 11 11:09:47 2009
From: Wolfgang <kiwuff@googlemail.com>
Date: Tue, 11 Aug 2009 07:21:18 -0700 (PDT)
Message-ID: <0da3bfad-db5c-4846-9334-50e57042cc14@o15g2000yqm.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 20 Jul., 22:46, kerbe...@noopy.org wrote:
> On Mon, Jul 20, 2009 at 4:28 PM, John Jasen<jja...@realityfailure.org> wrote:
> > kerbe...@noopy.org wrote:
>
> >> So this means servicePrincipalName is effectively useless in AD for
> >> non-Windows systems, right -- in particular when you have X number of
> >> principals in a keytab but only the one that matches the UPN will
> >> work?
>
> > No. I asked questions along the same vein a while back. :
>
> > Apparently you should be doing a kinit -S
> > serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a
> > service ticket for the appropriate service.
>
> Ah ha! So this is the magic test I'd been misunderstanding.
>
> So now I can do the following and everything works in the way I'd hope:
>
> kinit -k -t /some/keytab princ/host.fqdn@REALM
> kinit -S otherprinc/host.fqdn@REALM myprinc@REALM
>
> Thanks everyone!
>
> (And yes, I agree that ktpass.exe isn't the right tool for this job.
> msktutil would seem to work nicely in an environment where one has
> admin access to AD.)
>
> --
> Nathan Patwardhan
> "There should be a dating service for unusual-in-a-good-way people."
> ~~ Anne Kadet -http://www.noopy.org/quotes/q.cgi?tag=annedating
There is another way to create the keytabs i prefer:
Using ktutil (on linux):
ktutil
ktutil: addent -password -p HTTP/host.fqdn@MY.REALM -k
<key_version_number> -e arcfour-hmac-md5
Password for HTTP/host.fqdn@MY.REALM:
ktutil: addent -password -p HTTP/host.fqdn@MY.REALM -k
<key_version_number> -e des-cbc-md5
Password for HTTP/host.fqdn@MY.REALM:
ktutil: wkt host.fqdn.keytab
ktutil: quit
klist -k -t host.fqdn.keytab shows the following:
Keytab name: FILE:host.fqdn.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 08/11/09 16:14:57 HTTP/host.fqdn@MY.REALM
2 08/11/09 16:14:57 HTTP/host.fqdn@MY.REALM
Of course, you have to set the ServicePrincipalName and
UserPrincipalName, too. I use adsiedit.msc for this, there you can
also get the right key version number for this Principal.
This way, you don't need to copy files around, don't have to worry
about the key version numbers, and you can put more Principals in one
keytab.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
