[38803] in Kerberos
Re: Issues getting Kerberos to work with realmd and Active Directory
daemon@ATHENA.MIT.EDU (William MacAllister)
Thu Jul 30 13:45:44 2020
MIME-Version: 1.0
In-Reply-To: <CY1P110MB0456536BEFEE4C025B3FD469FA710@CY1P110MB0456.NAMP110.PROD.OUTLOOK.COM>
From: William MacAllister <whm@dropbox.com>
Date: Thu, 30 Jul 2020 10:42:33 -0700
Message-ID: <CAH2H+SWg8yNrrw53rFqgRQfB7tTgxeCt6-2iddHR+=_424_gPQ@mail.gmail.com>
To: Wesley Taylor <wesley.taylor@numerica.us>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Jul 30, 2020 at 10:07 AM Wesley Taylor <wesley.taylor@numerica.us>
wrote:
> Hi All,
>
> I am trying to get HTCondor with Kerberos authentication (
> https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication)
> to work on some linux machines I have which I joined to Windows Active
> Directory with realmd.
Working with AD as a KDC can be challenging. Problems that I frequently
have to deal are caused by the fact that AD does not use the principal name
to identify the LDAP entries that define the principal. We use Russ
Allbery's wallet to create keytabs which uses msktutil and LDAP to interact
with AD. Wallet creates a unique 20 character string that is used as the
CN for the distinguished name for the entry holding the principal name
entry. The actual principal name is stored in the LDAP
attributes userPrincipalName and servicePrincipalName. When I encounter
problems with the CN-to-principal name mapping I examine the KDC entry
using ldapsearch. For example:
$ ldapsearch -Q -LLL -h ad-server -b ou=keytabs,dc=domain,dc=com
cn="*keddie*" userPrincipalName servicePrincipalName dNSHostName
dn: CN=keddie.domain.co000,OU=keytabs,OU=DROPBOX,DC=dropbox,DC=internal
dNSHostName: keddie.domain.com
userPrincipalName: host/keddie.domain.com@DROPBOX.INTERNAL
servicePrincipalName: host/keddie.domain.com
If you can access AD with ldapsearch you should be able to determine the
correct principal name to use.
A very common command phrasing we use in bash scripts on linux systems is:
k5start -f /etc/krb5.keytab host/`hostname -f` -- <some command>
A specific example is:
k5start -f /etc/krb5.keytab host/`hostname -f` -- ldapwhoami -h
openldap-server
Bill
--
Bill MacAllister
Corp SRE, Dropbox
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
