Password incorrect while getting initial credentials using keytab on Solaris with AD
Douglas E. Engert
deengert at anl.gov
Tue Mar 25 11:00:21 EDT 2008
Your problem might be a bad version of ktpass.
See http://support.microsoft.com/kb/919557
"You receive pre-authentication errors when you use
keytab files that are generated by using the Ktpass.exe
tool on a Windows Server 2003 SP1-based computer"
PS wrote:
> Hi,
>
> I am stumped as to what is wrong with my Kerberos authentication.
> What I am trying to do is get Kerberos working so I can then use
> mod_auth_kerb with Apache to authenticate our domain users.
>
> I have compiled and installed MIT Kerberos 1.5.4, on Solaris 9, and
> configured my /etc/krb5.conf as follows:
> [libdefaults]
> default_realm = CORP.FC.LOCAL
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>
> [domain_realm]
> .fc.fujitsu.com = CORP.FC.LOCAL
>
> [realms]
> CORP.FC.LOCAL = {
> admin_server = dc.corp.fc.local:464
> kdc = dc.corp.fc.local:88
> kpasswd_server = dc.corp.fc.local:464
> }
>
> [logging]
> kdc = FILE:/var/log/kerberos/krb5kdc.log
> admin_server = FILE:/var/log/kerberos/kadmin.log
> default = FILE:/var/log/kerberos/krb5lib.log
>
> I tested with the kinit command and I am able to get a Kerberos ticket
> with my own domain ID and password:
> root at fc650dr:/usr/www/kerberos/bin # kinit seelypet
> Password for seelypet at CORP.FC.LOCAL:
> root at fc650dr:/usr/www/kerberos/bin # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: seelypet at CORP.FC.LOCAL
>
> Valid starting Expires Service principal
> 03/25/08 11:12:26 03/25/08 21:12:31 krbtgt/
> CORP.FC.LOCAL at CORP.FC.LOCAL
> renew until 03/26/08 11:12:26, Etype (skey, tkt): DES cbc mode
> with RSA-MD5, ArcFour with HMAC/md5
>
> We have created a user to be used for the Apache Kerberos
> authentication in Active Directory (Windows 2003 SP1) with the
> following properties:
> - User cannot change password
> - Password never expires
> - Use DES encryption types with this account
> - Does not require Kerberos preauthentication
>
> I am able to get a Kerberos ticket with this account when I supply the
> password:
>
> root at fc650dr:/usr/www/kerberos/bin # kinit Apache-DBA.Account
> Password for Apache-DBA.Account at CORP.FC.LOCAL:
> root at fc650dr:/usr/www/kerberos/bin # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Apache-DBA.Account at CORP.FC.LOCAL
>
> Valid starting Expires Service principal
> 03/25/08 11:14:31 03/25/08 21:14:31 krbtgt/
> CORP.FC.LOCAL at CORP.FC.LOCAL
> renew until 03/26/08 11:14:31, Etype (skey, tkt): DES cbc mode
> with RSA-MD5, ArcFour with HMAC/md5
>
> We generated a keytab file on the Active Directory DC for this
> account, to map to service principal HTTP/fc650dr.fc.fujitsu.com,
> with the following command
> ktpass -princ HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL -mapuser CORP
> \Apache-DBA.Account -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
> passw0rd -out c:\ktpass\fc650drkeytabv4
>
> I verified that, in Active Directory, the "User login name" shows HTTP/
> fc650dr.fc.fujitsu.com, indicating that the mapping was made.
>
> The keytab file was transferred to the Solaris server. When I try to
> use the keytab file, this is the result:
> root at fc650dr:/usr/www/kerberos/bin # kinit -kt fc650drkeytabv4 HTTP/
> fc650dr.fc.fujitsu.com
> kinit(v5): Password incorrect while getting initial credentials
>
> However I am able to get a Kerberos ticket using the SPN shown, when I
> supply the password:
> root at fc650dr:/usr/www/kerberos/bin # kinit HTTP/fc650dr.fc.fujitsu.com
> Password for HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL:
> root at fc650dr:/usr/www/kerberos/bin # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL
>
> Valid starting Expires Service principal
> 03/25/08 11:21:30 03/25/08 21:21:30 krbtgt/
> CORP.FC.LOCAL at CORP.FC.LOCAL
> renew until 03/26/08 11:21:30, Etype (skey, tkt): DES cbc mode
> with RSA-MD5, ArcFour with HMAC/md5
>
> The kvno in the keytab looks like it matches the ticket being given by
> AD:
> root at fc650dr:/usr/www/kerberos/bin # klist -kt fc650drkeytabv4
> Keytab name: FILE:fc650drkeytabv4
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 2 12/31/69 20:00:00 HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL
>
> root at fc650dr:/usr/www/kerberos/bin # kvno HTTP/fc650dr.fc.fujitsu.com
> HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL: kvno = 2
>
> I tried creating a keytab on the Solaris machine using ktutil with
> this command:
> addent -password -p HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL -k 2 -e
> des-cbc-md5
>
> but the result is the same as above when testing with this keytab
> also.
>
> Any idea what can be wrong here? Any ideas much appreciated.
>
> Thanks.
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list