AD 2003; MS's ktpass made account corrupted

Douglas E. Engert deengert at anl.gov
Wed Dec 12 15:23:22 EST 2007



Henoc at gbconcept.com wrote:
> Hi Eeery one.
> 
> I'm turning to you to know if you have found a way to deal with the bug
> on windows' ktpass tool :
> 
> When used to deliver a keytab it corrompts the account.

ktpass was not intended to be used with computer accounts for
computers joined to the domain. It was intended to be used to add
unix machine principals and create keytabs for non-domain machines.

But see below...

> 
> The computer can't any more log on the windows Domain.

When you run ktpass with it will update AD and create a keytab.
The machine that was joined, has the old password stached away,
so it won't match.

> 
> You have to delete it's account on the AD side and then rebind it to the
> domain.
> 
Yes gets the machine password and the password in AD in sync.
> 
> I have tried microsoft so-called corrective; I have been told to go on SP2;
> all of this  wich do exactly the same.
> 
> 
>                               -------------------------------   
> most accurate entry in the microsoft KB :
> 
>> http://support.microsoft.com/kb/939980/en-us
>>> You cannot log on to a Windows Server 2003 domain by using a user
> account after you reset the user account password by using the
> ktpass.exe tool together with the -pass * parameter
> 
> in fact not limited to "/pass * " as long as I have tested  with  "/pass
> mypasswd"  it  fails also.
> 
> 
> and also the first problem on microsoft KB was :
>> http://support.microsoft.com/kb/919557/en
>>> You receive pre-authentication errors when you use keytab files that
> are generated by using the Ktpass.exe tool on a Windows Server 2003
> SP1-based computer
> 
> 
>                               -------------------------------   
> 
> 
> 
> So here is my question :
> Did you succed in creating correct keytab and still not breaking your
> computer's appartnance to his AD domain. ?
> If yes please let me step by step what to do. (AND MOST OF ALL Send me a
> private mail with the binary)
> 
> Or is there a alternative to the use of microsoft's ktpass on windows ?

  Yes, msktutil. Uses OpenSSL to talk to AD, to add accounts and principals,
and create keytabs. Can handle multiple principals using the same AD account.

> 
> 
> PS : I use this style of command line :
> 
> */ktpass /out httpSrv.keytab /mapuser WWWSRVHOST /princ
> HTTP//**/WWWSRVHOST/**/@TESTDOMAIN.LOCAL /crypto RC4-HMAC-NT /pass *
> /ptype KRB5_NT_PRINCIPAL/*

Are you using the same AD account for a host principal *AND* a HTTP principal?
If yes, that is your problem, AD only stores one password per account,
so if you create the keytab for http, the keytab for the host will not
match any more.

Use a different /mapuser account for each.



> 
> 
> 
> 
> Thanks
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list