second keytab for similar service (but different SPN/IP) breaks the first
misa416@gmail.com
misa416 at gmail.com
Thu Jun 4 09:10:55 EDT 2009
On Jun 3, 1:58 pm, "Douglas E. Engert" <deeng... at anl.gov> wrote:
> Chris wrote:
> > This is perhaps a little higher-level problem than Kerberos proper but
> > I wanted to at least see if I was taking the correct approach as far
> > as Kerberos is concerned.
>
> > I have a service - it's a kerberized java webservice with a very
> > specific function, and it does GSSAPI validation of client login
> > requests, where the clients have obtained tickets to my service. It's
> > working fine with either Microsoft AD or Apple Open Directory (MIT
> > Kerberos) - basically I create an account for the service, create an
> > SPN in the form servicename/ip-address at REALM, and then generate a
> > keytab for the SPN which gets configured for JAAS on the service host
> > machine.
>
> ip-address? or hostname? Kerberos normally uses hostnames.
>
>
>
> > What I can't seem to do with this approach is to generate keytabs for
> > two service instances in the same realm, e.g. if two different
> > departments each want their own deployment of my service. With the
> > keytab tools included in both Microsfot AD and Apple Open Directory
> > (MIT), just generating an additional keytab for a different SPN (but
> > the same directory service account) breaks the authentication of the
> > first one.
>
> Use two different directory service accounts, one for each instance.
> Follow some pattern for the account name like foo-host.
>
> There is only one password on the account and it is used to generate
> the key for all SPNs on the account.
>
>
>
>
>
>
>
> > In step-by-step terms:
> > - my service is called "fooservice", I create and AD or OD account
> > called "fooservice"
> > - I add an SPN for fooservice using this name plus the IP address and
> > realm, e.g. "fooservice/ip-addr-1 at REALM"
> > - I generate a keytab for this SPN and add it to fooservice running on
> > ip-addr-1; everything is working, clients can authenticate
> > - I add another SPN for fooservice because I want to run another
> > fooservice on a different machine, "fooservice/ip-addr-2 at REALM"
> > - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
> > stops working (can no longer establish its own credentials based on
> > keytab, & therefore can't accept client contexts). It seems to be
> > actually generating the keytab file - not just adding an additional
> > SPN - that does this. However I can at this point use the new keytab
> > for the fooservice running on ip-addr-2.
>
> > So it seems that with both Active Directory's Kerberos and Open
> > Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> > kerberized on different IP addresses against distinct SPN's associated
> > with the same service account... but there are numerous examples on
> > the web of this being done e.g. with a single "http" account and
> > multiple "http/ip-addr..." SPN's for multiple web servers on your
> > network.
>
> > Am I right in thinking what I'm trying should be possible, and if so
> > is there some nuance of generating the keytab that I'm not following
> > that causes the first keytab to stop working?
>
> > Many thanks.
> > - Chris
> > ________________________________________________
> > Kerberos mailing list Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Douglas E. Engert <DEEng... at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444- Hide quoted text -
>
> - Show quoted text -
Chris you can associate multiple SPNs with a single service account.
Try merging your keytabs:
ktpass -princ fooservice/ip-addr-1 at REALM -pass p at ssw0rd -mapuser
fooservice -out krb1.keytab
ktpass -princ fooservice/ip-addr-2 at REALM -pass p at ssw0rd -mapuser
fooservice -in krb1.keytab -out krb2.keytab
Hope this helps.
More information about the Kerberos
mailing list