Bizzare problem with authenticating a service principal with AD
Jason Testart
jatestart at cs.uwaterloo.ca
Mon Mar 12 01:37:10 EDT 2007
Jeffrey Altman said the following on 3/12/2007 12:01 AM:
> Jason Testart wrote:
>>
>> Jeffrey Altman wrote:
>>> Jason Testart wrote:
>>>> I'm trying to get pam_krb5 working with an Active Directory
>>>> domain. It works when I don't have a krb5.keytab file but it
>>>> doesn't when I do, since the verification of the TGT using the
>>>> service principal fails with an error: "Key table entry not
>>>> found". The keytab file is simple as it only contains the
>>>> "host" service principal for the Ubuntu Linux box that I am
>>>> testing with.
>>> What enctype is the service ticket being encrypted with?
>> I used the default. "ktpass /?" says that's RC4-HMAC-NT.
> ktpass exports a key of the enctype you request. that is not
> necessarily the enctype used to encrypt the service ticket that is
> issued. What is the enctype of the service ticket received by your
> service?
Right. Sorry about that. I'm a bit of a noobie at Kerberos. So AFAIK,
based on reading and looking at pcap files of kerberos traffic, Active
Directory uses des-cbc-md5 or des-cbc-crc to encrypt tickets it issues,
like the TGT in this case.
Thanks Jeffrey, you got me thinking in the right direction:
I just took a look at the keytab files on those Solaris hosts that I
mentioned work, and what do you know, the host keys are des-cbc-md5.
But get this, I used ktpass the same way to create those as I did this
one. I believe the difference is in how I created the AD account for
the service principal. For the working Solaris hosts, I used a perl
script to create the accounts via LDAP, then in a second step I ran a
batch of ktpass commands. In the perl script, I set the
userAccountControl attribute (setting the USE_DES_KEY_ONLY property).
Perhaps this affects how ktpass behaves? In the case of this Linux
host, I created the account using the GUI snap-in and I didn't set any
properties before generating the keytab file.
So I just recreated the keytab with the different enctype. Now when I
kinit, I get either:
kinit(v5): Password incorrect while getting initial credentials
or
kinit(v5): Preauthentication failed while getting initial credentials
depending if the "require preauth" is set for the account in AD.
More information about the Kerberos
mailing list