AD 2003; MS's ktpass made account corrupted

Douglas E. Engert deengert at anl.gov
Thu Dec 13 10:15:24 EST 2007 


Henoc wrote:
> Thanks Douglas for your help.
> 
> Just one thing to make clear for me (I'm not a Kerberos specialist so I
> would like to be sure ) :
> 
> So I got my computer WWWSRVHOST  joined to my domain 
> It has most of the time these spn already made by AD :
> HOST/WWWSRVHOST at FQDN.com

(Some of you examples use FQDN, some FDN. You refer to the machine
as WWWSRVHOST but it also has a DNS hostname. You attempts
at obfuscating the information in the e-mail is making
it hard to understand your situation.

First of all, is the computer WWWSRVHOST a Windows machine?
Is WWWSRVHOST the name?
What is its  DNS name?
Is it joined to the domain?
What is the AD domain name?

And you want to run a web server on it?
If this is all Microsoft servers and web servers, you should not
have to create any keytabs. It should be done for you.

Are trying to run some web server under cygwin?

If so use two seperate windows accounts, one for the host service
handled by windows join, and one for the HTTP service,
and use ktpass. (This keeps them seperate, and avoids the common
passwrod issue.)

The account name does not have to be the spn.

> 
> My goal is :
> - (1) - to add a HTTP/WWWSRVHOST at FDN.com  SPN to my computer's entry
> - (2) - then to produce the corresponding Keytab file
> 
> So to reach this :
> a)- under a unix box or via cygwin on the same windows I have to install
> mskutil (didn't succeed finding a windows version )

No there is no. You should not need this with windows.

> 
> b)- emit these kind of command line : (not that the computer pre-exist in
> the domain; 

You said the computer was joined. Now you say it is no.

in most of my client environment it is a windows box on which I
> have to install my stuff)
> 
> msktutil -b <base> -k <file> s <HTTP/WWWSRVHOST at FDN.com >

Did you actually get it to run?

> 
> 
> Is that all so simple  ?? I can't believe I have been turning around for
> decades for something so easy. 
> Should post this on different forums to avoid this for other people.
> I can test before Friday or Monday
> 
> If I made some huge mistake in my understanding, please let me know
> 
> Thanks again for your help, which was very useful 
> 
> Sincerely
> 
> 
> 
> 
> 
> -----Message d'origine-----
> De : Douglas E. Engert [mailto:deengert at anl.gov] 
> Envoyé : mercredi 12 décembre 2007 21:23
> À : Henoc at gbconcept.com
> Cc : kerberos at mit.edu
> Objet : Re: AD 2003; MS's ktpass made account corrupted
> 
> 
> 
> Henoc at gbconcept.com wrote:
>> Hi Eeery one.
>>
>> I'm turning to you to know if you have found a way to deal with the bug
>> on windows' ktpass tool :
>>
>> When used to deliver a keytab it corrompts the account.
> 
> ktpass was not intended to be used with computer accounts for
> computers joined to the domain. It was intended to be used to add
> unix machine principals and create keytabs for non-domain machines.
> 
> But see below...
> 
>> The computer can't any more log on the windows Domain.
> 
> When you run ktpass with it will update AD and create a keytab.
> The machine that was joined, has the old password stached away,
> so it won't match.
> 
>> You have to delete it's account on the AD side and then rebind it to the
>> domain.
>>
> Yes gets the machine password and the password in AD in sync.
>> I have tried microsoft so-called corrective; I have been told to go on
> SP2;
>> all of this  wich do exactly the same.
>>
>>
>>                               -------------------------------   
>> most accurate entry in the microsoft KB :
>>
>>> http://support.microsoft.com/kb/939980/en-us
>>>> You cannot log on to a Windows Server 2003 domain by using a user
>> account after you reset the user account password by using the
>> ktpass.exe tool together with the -pass * parameter
>>
>> in fact not limited to "/pass * " as long as I have tested  with  "/pass
>> mypasswd"  it  fails also.
>>
>>
>> and also the first problem on microsoft KB was :
>>> http://support.microsoft.com/kb/919557/en
>>>> You receive pre-authentication errors when you use keytab files that
>> are generated by using the Ktpass.exe tool on a Windows Server 2003
>> SP1-based computer
>>
>>
>>                               -------------------------------   
>>
>>
>>
>> So here is my question :
>> Did you succed in creating correct keytab and still not breaking your
>> computer's appartnance to his AD domain. ?
>> If yes please let me step by step what to do. (AND MOST OF ALL Send me a
>> private mail with the binary)
>>
>> Or is there a alternative to the use of microsoft's ktpass on windows ?
> 
>   Yes, msktutil. Uses OpenSSL to talk to AD, to add accounts and principals,
> and create keytabs. Can handle multiple principals using the same AD
> account.
> 
>>
>> PS : I use this style of command line :
>>
>> */ktpass /out httpSrv.keytab /mapuser WWWSRVHOST /princ
>> HTTP//**/WWWSRVHOST/**/@TESTDOMAIN.LOCAL /crypto RC4-HMAC-NT /pass *
>> /ptype KRB5_NT_PRINCIPAL/*
> 
> Are you using the same AD account for a host principal *AND* a HTTP
> principal?
> If yes, that is your problem, AD only stores one password per account,
> so if you create the keytab for http, the keytab for the host will not
> match any more.
> 
> Use a different /mapuser account for each.
> 
> 
> 
>>
>>
>>
>> Thanks
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list