Loading host service principal from /etc/krb5.keytab?

Douglas E. Engert deengert at anl.gov
Tue May 25 10:37:26 EDT 2010 


Lars Kellogg-Stedman wrote:
> Hello all,
> 
> Should it be possible to load the host service principal from
> /etc/krb5.keytab for the purpose of authenticating against an Active
> Directory server?  That is, should I expect this to work?
> 
>   kinit -k host/buildmaster.example.com at EXAMPLE.COM

AD will look for an account where the principal matches the
userPrincipalName attribute, or where the principal will match
samAccountName at DOMAIN

I suspect that in your case the userPrincipalName (if any) is
host/buildmaster at EXAMPLE.COM and the sAMAccountName is BUILDMASTER$
so kinit -k host/buildmaster at EXAMPLE.COM may work
and kinit -k BUILDMASTER$@EXAMPLE.COM
should work.

For machine that is not Windows you could change the userPrincipalName
attribute on the account to host/buildmaster.example.com at EXAMPLE.COM

> 
> I invariably receive the following error message:
> 
>   kinit(v5): Client not found in Kerberos database while getting
> initial credentials
> 
> Everything else seems to be working fine (I can kinit as a user, and
> those credentials are accepted for access to the server).  The
> specified principal is listed by 'klist -k':
> 
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    2 host/buildmaster.example.com at EXAMPLE.COM
>    2 host/buildmaster.example.com at EXAMPLE.COM
>    2 host/buildmaster.example.com at EXAMPLE.COM
>    2 host/buildmaster at EXAMPLE.COM
>    2 host/buildmaster at EXAMPLE.COM
>    2 host/buildmaster at EXAMPLE.COM
>    2 BUILDMASTER$@EXAMPLE.COM
>    2 BUILDMASTER$@EXAMPLE.COM
>    2 BUILDMASTER$@EXAMPLE.COM
> 
> The error message suggests to me some sort of hostname mismatch
> somewhere, but DNS (forward and reverse), the system hostname, and the
> servicePrincipalNames in AD are all consistent.
> 
> The goal here is to be able to bind to an AD server using the stored
> host principal (rather than using shared credentials in
> /etc/ldap.conf, which seems to be the most common alternative to
> anonymous binds).
> 
> Thanks for your help!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list