[31755] in Kerberos
Re: ktpass troubles
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Dec 10 14:27:21 2009
Message-ID: <4B214B77.1050808@anl.gov>
Date: Thu, 10 Dec 2009 13:26:47 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Vitaly Tskhovrebov <Vitaly.Tskhovrebov@exigenservices.com>
In-Reply-To: <B6C4EB6BB2F4654C835D1F7319E4E6742B7DBE456D@SPBEX03.internal.corp>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Vitaly Tskhovrebov wrote:
> Hi.
>
>
>
> I'm trying to use krb authentication on linux box with apache.
>
>
>
> I've done the following on W2K3 PDC:
>
>
>
> ktpass -princ host/web.company.ru@COMPANY.RU -pass qwerty -mapuser
> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>
> Successfully mapped host/web.company.ru@COMPANY.RU to web_http.
>
> WARNING: pType and account type do not match. This might cause problems.
>
> Key created.
>
> Output keytab to host.keytab:
>
> Keytab version: 0x502
>
> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>
> o 1 etype 0x17 (RC4-HMAC) keylength 16 (0xeddf60686996d8ba2d81cfd15da42bd3)
>
>
>
> the same for
>
> ktpass -princ HTTP/web.company.ru@COMPANY.RU -pass qwerty -mapuser
> D\web_http -out http.keytab -kvno 1
>
>
You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.
>
> and then
>
> setspn.exe -A HTTP/web.company.ru web
Should this be web_http? Did it work?
You should also consider using two separate accounts and two separate
keytab files, one for host/... and oner for HTTP/... Each would
then have its own key.
>
>
>
> after that I made several steps on linux box making a keytab for apache, and
> trying to test:
>
>
>
> ktutil: read_kt host.keytab
>
> ktutil: read_kt http.keytab
>
> ktutil: list
>
> slot KVNO Principal
>
> ---- ---- ------------------------------------
>
> 1 1 host/web.company.ru@COMPANY.RU
>
> 2 1 HTTP/web.company.ru@COMPANY.RU
>
> ktutil: write_kt apache.keytab
>
>
>
>
>
> kinit -t apache.keytab -k HTTP/web.company.ru@COMPANY.RU
>
> # IT'S OK!
>
>
>
> kinit -t apache.keytab -k host/web.company.ru@COMPANY.RU
>
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
>
> Ethereal told that krb5kdc_err_s_principal_unknown.
>
>
>
> Where I'm wrong?
>
>
>
> --
>
> Vitaly.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
