[31426] in Kerberos
Re: msktutil problem with Windows 2008
daemon@ATHENA.MIT.EDU (Markus Moeller)
Sat Aug 29 08:25:41 2009
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Sat, 29 Aug 2009 13:24:16 +0100
Message-ID: <h7b6mf$106$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <h7b5a5$tb0$1@ger.gmane.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Is it possible that Windows 2008 is maping HTTP principal to host principals
?
With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my
apache/squid module created an error "Decrypt integrity check failed" and a
kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt
/etc/host.keytab host/fqdn works.
When I remove the AD entry which msktutil created for HTTP/fqdn and leave
the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn. Now I
used ktutil to create a HTTP keytab
# ktutil
ktutil: addent -key -p HTTP/centos.dom.local@DOM.LOCAL -k 2 -e
aes256-cts-hmac-sha1-96
Key for HTTP/centos.dom.local@DOM.LOCAL (hex):
3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
ktutil: wkt /etc/HTTP.keytab
ktutil: quit
I can use the HTTP. keytab with kinit and I can also use it now for
apache/squid.
It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a
request for host/fqdn and ignores entries with a serviceprincipal set to
HTTP/fqdn.
Can anybody confirm that ? Oe what do I do wrong ?
Thank you
Markus
"Markus Moeller" <huaraz@moeller.plus.com> wrote in message
news:h7b5a5$tb0$1@ger.gmane.org...
>I was too quick. I get it to work with host/fqdn (e.g. kinit -kt
> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use
> AES-256 CTS mode with 96-bit SHA-1 HMAC.
>
> klist -ekt /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (ArcFour with
> HMAC/md5)
> 3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
> with 96-bit SHA-1 HMAC)
> 3 08/29/09 20:54:49 host/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
> with 96-bit SHA-1 HMAC)
>
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/centos.dom.local@DOM.LOCAL
>
> Valid starting Expires Service principal
> 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL@DOM.LOCAL
> renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode
> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>
>
>
> klist -ekt /etc/HTTP.keytab
> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (ArcFour with
> HMAC/md5)
> 2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-128 CTS mode
> with 96-bit SHA-1 HMAC)
> 2 08/29/09 21:39:35 HTTP/centos.dom.local@DOM.LOCAL (AES-256 CTS mode
> with 96-bit SHA-1 HMAC)
>
>
> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
> kinit(v5): Preauthentication failed while getting initial credentials
>
> Markus
>
>
> "Markus Moeller" <huaraz@moeller.plus.com> wrote in message
> news:CF5A795E7B16440FA314ED54D5645C0B@VAIOLaptop...
>> Wolf-Agathon,
>>
>> I did export the keytab, but I found out the Hotfix 951191 was not
>> installed on the 2008 DC.
>>
>> Markus
>>
>> ----- Original Message -----
>> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon@arcor.de>
>> To: <huaraz@moeller.plus.com>; <kerberos@mit.edu>
>> Sent: Saturday, August 29, 2009 11:27 AM
>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows
>> 2008
>>
>>
>>> Howdy Markus
>>>
>>> Sound to me that you're trying to use a kaytab without expoting the key
>>> to
>>> your keytab file test.keytab
>>>
>>> am I right ?
>>>
>>> cheers
>>> Wolf-Agathon
>>>
>>>
>>> ----- Original Nachricht ----
>>> Von: Markus Moeller <huaraz@moeller.plus.com>
>>> An: kerberos@mit.edu
>>> Datum: 29.08.2009 00:07
>>> Betreff: msktutil problem with Windows 2008
>>>
>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>>> 2008,
>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need
>>>> to
>>>> be
>>>>
>>>> changed ?
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos@mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
