Password incorrect while getting initial credentials using keytab on Solaris with AD

Douglas E. Engert deengert at anl.gov
Tue Mar 25 11:00:21 EDT 2008 

Your problem might be a bad version of ktpass.
See http://support.microsoft.com/kb/919557

  "You receive pre-authentication errors when you use
   keytab files that are generated by using the Ktpass.exe
   tool on a Windows Server 2003 SP1-based computer"


PS wrote:
> Hi,
> 
> I am stumped as to what is wrong with my Kerberos authentication.
> What I am trying to do is get Kerberos working so I can then use
> mod_auth_kerb with Apache to authenticate our domain users.
> 
> I have compiled and installed MIT Kerberos 1.5.4, on Solaris 9, and
> configured my /etc/krb5.conf as follows:
> [libdefaults]
>     default_realm = CORP.FC.LOCAL
>     default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>     default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> 
> [domain_realm]
>     .fc.fujitsu.com = CORP.FC.LOCAL
> 
> [realms]
>      CORP.FC.LOCAL = {
>                       admin_server   = dc.corp.fc.local:464
>                       kdc            = dc.corp.fc.local:88
>                       kpasswd_server = dc.corp.fc.local:464
>                      }
> 
> [logging]
>     kdc = FILE:/var/log/kerberos/krb5kdc.log
>     admin_server = FILE:/var/log/kerberos/kadmin.log
>     default = FILE:/var/log/kerberos/krb5lib.log
> 
> I tested with the kinit command and I am able to get a Kerberos ticket
> with my own domain ID and password:
> root at fc650dr:/usr/www/kerberos/bin # kinit seelypet
> Password for seelypet at CORP.FC.LOCAL:
> root at fc650dr:/usr/www/kerberos/bin # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: seelypet at CORP.FC.LOCAL
> 
> Valid starting     Expires            Service principal
> 03/25/08 11:12:26  03/25/08 21:12:31  krbtgt/
> CORP.FC.LOCAL at CORP.FC.LOCAL
>         renew until 03/26/08 11:12:26, Etype (skey, tkt): DES cbc mode
> with RSA-MD5, ArcFour with HMAC/md5
> 
> We have created a user to be used for the Apache Kerberos
> authentication in Active Directory (Windows 2003 SP1) with the
> following properties:
> - User cannot change password
> - Password never expires
> - Use DES encryption types with this account
> - Does not require Kerberos preauthentication
> 
> I am able to get a Kerberos ticket with this account when I supply the
> password:
> 
> root at fc650dr:/usr/www/kerberos/bin # kinit Apache-DBA.Account
> Password for Apache-DBA.Account at CORP.FC.LOCAL:
> root at fc650dr:/usr/www/kerberos/bin # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Apache-DBA.Account at CORP.FC.LOCAL
> 
> Valid starting     Expires            Service principal
> 03/25/08 11:14:31  03/25/08 21:14:31  krbtgt/
> CORP.FC.LOCAL at CORP.FC.LOCAL
>         renew until 03/26/08 11:14:31, Etype (skey, tkt): DES cbc mode
> with RSA-MD5, ArcFour with HMAC/md5
> 
> We generated a keytab file on the Active Directory DC for this
> account, to map to service principal HTTP/fc650dr.fc.fujitsu.com,
> with the following command
> ktpass -princ HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL -mapuser CORP
> \Apache-DBA.Account -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
> passw0rd -out c:\ktpass\fc650drkeytabv4
> 
> I verified that, in Active Directory, the "User login name" shows HTTP/
> fc650dr.fc.fujitsu.com, indicating that the mapping was made.
> 
> The keytab file was transferred to the Solaris server.  When I try to
> use the keytab file, this is the result:
> root at fc650dr:/usr/www/kerberos/bin # kinit -kt fc650drkeytabv4 HTTP/
> fc650dr.fc.fujitsu.com
> kinit(v5): Password incorrect while getting initial credentials
> 
> However I am able to get a Kerberos ticket using the SPN shown, when I
> supply the password:
> root at fc650dr:/usr/www/kerberos/bin # kinit HTTP/fc650dr.fc.fujitsu.com
> Password for HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL:
> root at fc650dr:/usr/www/kerberos/bin # klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL
> 
> Valid starting     Expires            Service principal
> 03/25/08 11:21:30  03/25/08 21:21:30  krbtgt/
> CORP.FC.LOCAL at CORP.FC.LOCAL
>         renew until 03/26/08 11:21:30, Etype (skey, tkt): DES cbc mode
> with RSA-MD5, ArcFour with HMAC/md5
> 
> The kvno in the keytab looks like it matches the ticket being given by
> AD:
> root at fc650dr:/usr/www/kerberos/bin # klist -kt fc650drkeytabv4
> Keytab name: FILE:fc650drkeytabv4
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    2 12/31/69 20:00:00 HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL
> 
> root at fc650dr:/usr/www/kerberos/bin # kvno HTTP/fc650dr.fc.fujitsu.com
> HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL: kvno = 2
> 
> I tried creating a keytab on the Solaris machine using ktutil with
> this command:
> addent -password -p HTTP/fc650dr.fc.fujitsu.com at CORP.FC.LOCAL -k 2 -e
> des-cbc-md5
> 
> but the result is the same as above when testing with this keytab
> also.
> 
> Any idea what can be wrong here?  Any ideas much appreciated.
> 
> Thanks.
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list