[31757] in Kerberos
Re: ktpass troubles
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Dec 11 09:58:45 2009
Message-ID: <4B225DF4.2000306@anl.gov>
Date: Fri, 11 Dec 2009 08:57:56 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Vitaly Tskhovrebov <Vitaly.Tskhovrebov@exigenservices.com>
In-Reply-To: <B6C4EB6BB2F4654C835D1F7319E4E6742B7DBE4705@SPBEX03.internal.corp>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Vitaly Tskhovrebov wrote:
> It's work now. Dunno, what was wrong.
> I just came to work on the morning.
AD takes its time replicating the entries, that could
be the issue. As you might be looking at different DCs
that have not been updated. So when you are updating,
computer accounts and using ktpass you may have to wait a bit.
We don't use ktpass but msktutil instead:
http://download.systemimager.org/~finley/msktutil/
(If you use this, If the service name is not lowercase,
use the --computer-name option rather then letting it
derive the name.)
>
> --
> Vitaly.
>
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: Thursday, December 10, 2009 10:27 PM
> To: Vitaly Tskhovrebov
> Cc: kerberos@mit.edu
> Subject: Re: ktpass troubles
>
>
>
> Vitaly Tskhovrebov wrote:
>> Hi.
>>
>>
>>
>> I'm trying to use krb authentication on linux box with apache.
>>
>>
>>
>> I've done the following on W2K3 PDC:
>>
>>
>>
>> ktpass -princ host/web.company.ru@COMPANY.RU -pass qwerty -mapuser
>> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>>
>> Successfully mapped host/web.company.ru@COMPANY.RU to web_http.
>>
>> WARNING: pType and account type do not match. This might cause problems.
>>
>> Key created.
>>
>> Output keytab to host.keytab:
>>
>> Keytab version: 0x502
>>
>> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>>
>> o 1 etype 0x17 (RC4-HMAC) keylength 16
> (0xeddf60686996d8ba2d81cfd15da42bd3)
>>
>>
>> the same for
>>
>> ktpass -princ HTTP/web.company.ru@COMPANY.RU -pass qwerty -mapuser
>> D\web_http -out http.keytab -kvno 1
>>
>>
>
> You may have updated the msDS-keyVersionNumber in the DC.
> Use ldap or some MS tool like ADSI-edit to look for this attribute
> on the web_http account.
> Also look at the userPrincipalName, ServicePrincipalName and
> sAMAccountName attributes too.
>
>> and then
>>
>> setspn.exe -A HTTP/web.company.ru web
>
> Should this be web_http? Did it work?
>
> You should also consider using two separate accounts and two separate
> keytab files, one for host/... and oner for HTTP/... Each would
> then have its own key.
>
>
>>
>>
>> after that I made several steps on linux box making a keytab for apache,
> and
>> trying to test:
>>
>>
>>
>> ktutil: read_kt host.keytab
>>
>> ktutil: read_kt http.keytab
>>
>> ktutil: list
>>
>> slot KVNO Principal
>>
>> ---- ---- ------------------------------------
>>
>> 1 1 host/web.company.ru@COMPANY.RU
>>
>> 2 1 HTTP/web.company.ru@COMPANY.RU
>>
>> ktutil: write_kt apache.keytab
>>
>>
>>
>>
>>
>> kinit -t apache.keytab -k HTTP/web.company.ru@COMPANY.RU
>>
>> # IT'S OK!
>>
>>
>>
>> kinit -t apache.keytab -k host/web.company.ru@COMPANY.RU
>>
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
>>
>>
>>
>> Ethereal told that krb5kdc_err_s_principal_unknown.
>>
>>
>>
>> Where I'm wrong?
>>
>>
>>
>> --
>>
>> Vitaly.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
