Password incorrect while getting initial credentials using keytab on Solaris with AD

PS pseely at gmail.com
Tue Mar 25 10:24:40 EDT 2008 

Hi,

I am stumped as to what is wrong with my Kerberos authentication.
What I am trying to do is get Kerberos working so I can then use
mod_auth_kerb with Apache to authenticate our domain users.

I have compiled and installed MIT Kerberos 1.5.4, on Solaris 9, and
configured my /etc/krb5.conf as follows:
[libdefaults]
    default_realm = CORP.FC.LOCAL
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[domain_realm]
    .fc.fujitsu.com = CORP.FC.LOCAL

[realms]
     CORP.FC.LOCAL = {
                      admin_server   = dc.corp.fc.local:464
                      kdc            = dc.corp.fc.local:88
                      kpasswd_server = dc.corp.fc.local:464
                     }

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

I tested with the kinit command and I am able to get a Kerberos ticket
with my own domain ID and password:
root at fc650dr:/usr/www/kerberos/bin # kinit seelypet
Password for seelypet at CORP.FC.LOCAL:
root at fc650dr:/usr/www/kerberos/bin # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: seelypet at CORP.FC.LOCAL

Valid starting     Expires            Service principal
03/25/08 11:12:26  03/25/08 21:12:31  krbtgt/
CORP.FC.LOCAL at CORP.FC.LOCAL
        renew until 03/26/08 11:12:26, Etype (skey, tkt): DES cbc mode
with RSA-MD5, ArcFour with HMAC/md5

We have created a user to be used for the Apache Kerberos
authentication in Active Directory (Windows 2003 SP1) with the
following properties:
- User cannot change password
- Password never expires
- Use DES encryption types with this account
- Does not require Kerberos preauthentication

I am able to get a Kerberos ticket with this account when I supply the
password:

root at fc650dr:/usr/www/kerberos/bin # kinit Apache-DBA.Account
Password for Apache-DBA.Account at CORP.FC.LOCAL:
root at fc650dr:/usr/www/kerberos/bin # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Apache-DBA.Account at CORP.FC.LOCAL

Valid starting     Expires            Service principal
03/25/08 11:14:31  03/25/08 21:14:31  krbtgt/
CORP.FC.LOCAL at CORP.FC.LOCAL
        renew until 03/26/08 11:14:31, Etype (skey, tkt): DES cbc mode
with RSA-MD5, ArcFour with HMAC/md5

We generated a keytab file on the Active Directory DC for this
account, to map to service principal HTTP/fc650dr.fc.fujitsu.com,
with the following command
ktpass -princ HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL -mapuser CORP
\Apache-DBA.Account -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
passw0rd -out c:\ktpass\fc650drkeytabv4

I verified that, in Active Directory, the "User login name" shows HTTP/
fc650dr.fc.fujitsu.com, indicating that the mapping was made.

The keytab file was transferred to the Solaris server.  When I try to
use the keytab file, this is the result:
root at fc650dr:/usr/www/kerberos/bin # kinit -kt fc650drkeytabv4 HTTP/
fc650dr.fc.fujitsu.com
kinit(v5): Password incorrect while getting initial credentials

However I am able to get a Kerberos ticket using the SPN shown, when I
supply the password:
root at fc650dr:/usr/www/kerberos/bin # kinit HTTP/fc650dr.fc.fujitsu.com
Password for HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL:
root at fc650dr:/usr/www/kerberos/bin # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL

Valid starting     Expires            Service principal
03/25/08 11:21:30  03/25/08 21:21:30  krbtgt/
CORP.FC.LOCAL at CORP.FC.LOCAL
        renew until 03/26/08 11:21:30, Etype (skey, tkt): DES cbc mode
with RSA-MD5, ArcFour with HMAC/md5

The kvno in the keytab looks like it matches the ticket being given by
AD:
root at fc650dr:/usr/www/kerberos/bin # klist -kt fc650drkeytabv4
Keytab name: FILE:fc650drkeytabv4
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   2 12/31/69 20:00:00 HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL

root at fc650dr:/usr/www/kerberos/bin # kvno HTTP/fc650dr.fc.fujitsu.com
HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL: kvno = 2

I tried creating a keytab on the Solaris machine using ktutil with
this command:
addent -password -p HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL -k 2 -e
des-cbc-md5

but the result is the same as above when testing with this keytab
also.

Any idea what can be wrong here?  Any ideas much appreciated.

Thanks.

More information about the Kerberos mailing list