Password incorrect while getting initial credentials using keytab on Solaris with AD

PS pseely at gmail.com
Tue Mar 25 11:07:55 EDT 2008


On Mar 25, 12:00 pm, "Douglas E. Engert" <deeng... at anl.gov> wrote:
> Your problem might be a bad version of ktpass.
> Seehttp://support.microsoft.com/kb/919557
>
>   "You receive pre-authentication errors when you use
>    keytab files that are generated by using the Ktpass.exe
>    tool on a Windows Server 2003 SP1-based computer"
>
>
>
> PS wrote:
> > Hi,
>
> > I am stumped as to what is wrong with my Kerberos authentication.
> > What I am trying to do is get Kerberos working so I can then use
> > mod_auth_kerb with Apache to authenticate our domain users.
>
> > I have compiled and installed MIT Kerberos 1.5.4, on Solaris 9, and
> > configured my /etc/krb5.conf as follows:
> > [libdefaults]
> >     default_realm = CORP.FC.LOCAL
> >     default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> >     default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>
> > [domain_realm]
> >     .fc.fujitsu.com = CORP.FC.LOCAL
>
> > [realms]
> >      CORP.FC.LOCAL = {
> >                       admin_server   = dc.corp.fc.local:464
> >                       kdc            = dc.corp.fc.local:88
> >                       kpasswd_server = dc.corp.fc.local:464
> >                      }
>
> > [logging]
> >     kdc = FILE:/var/log/kerberos/krb5kdc.log
> >     admin_server = FILE:/var/log/kerberos/kadmin.log
> >     default = FILE:/var/log/kerberos/krb5lib.log
>
> > I tested with the kinit command and I am able to get a Kerberos ticket
> > with my own domain ID and password:
> > root at fc650dr:/usr/www/kerberos/bin # kinit seelypet
> > Password for seely... at CORP.FC.LOCAL:
> > root at fc650dr:/usr/www/kerberos/bin # klist -e
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: seely... at CORP.FC.LOCAL
>
> > Valid starting     Expires            Service principal
> > 03/25/08 11:12:26  03/25/08 21:12:31  krbtgt/
> > CORP.FC.LO... at CORP.FC.LOCAL
> >         renew until 03/26/08 11:12:26, Etype (skey, tkt): DES cbc mode
> > with RSA-MD5, ArcFour with HMAC/md5
>
> > We have created a user to be used for the Apache Kerberos
> > authentication in Active Directory (Windows 2003 SP1) with the
> > following properties:
> > - User cannot change password
> > - Password never expires
> > - Use DES encryption types with this account
> > - Does not require Kerberos preauthentication
>
> > I am able to get a Kerberos ticket with this account when I supply the
> > password:
>
> > root at fc650dr:/usr/www/kerberos/bin # kinit Apache-DBA.Account
> > Password for Apache-DBA.Acco... at CORP.FC.LOCAL:
> > root at fc650dr:/usr/www/kerberos/bin # klist -e
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Apache-DBA.Acco... at CORP.FC.LOCAL
>
> > Valid starting     Expires            Service principal
> > 03/25/08 11:14:31  03/25/08 21:14:31  krbtgt/
> > CORP.FC.LO... at CORP.FC.LOCAL
> >         renew until 03/26/08 11:14:31, Etype (skey, tkt): DES cbc mode
> > with RSA-MD5, ArcFour with HMAC/md5
>
> > We generated a keytab file on the Active Directory DC for this
> > account, to map to service principal HTTP/fc650dr.fc.fujitsu.com,
> > with the following command
> > ktpass -princ HTTP/fc650dr.fc.fujitsu.... at CORP.FC.LOCAL -mapuser CORP
> > \Apache-DBA.Account -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
> > passw0rd -out c:\ktpass\fc650drkeytabv4
>
> > I verified that, in Active Directory, the "User login name" shows HTTP/
> > fc650dr.fc.fujitsu.com, indicating that the mapping was made.
>
> > The keytab file was transferred to the Solaris server.  When I try to
> > use the keytab file, this is the result:
> > root at fc650dr:/usr/www/kerberos/bin # kinit -kt fc650drkeytabv4 HTTP/
> > fc650dr.fc.fujitsu.com
> > kinit(v5): Password incorrect while getting initial credentials
>
> > However I am able to get a Kerberos ticket using the SPN shown, when I
> > supply the password:
> > root at fc650dr:/usr/www/kerberos/bin # kinit HTTP/fc650dr.fc.fujitsu.com
> > Password for HTTP/fc650dr.fc.fujitsu.... at CORP.FC.LOCAL:
> > root at fc650dr:/usr/www/kerberos/bin # klist -e
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: HTTP/fc650dr.fc.fujitsu.... at CORP.FC.LOCAL
>
> > Valid starting     Expires            Service principal
> > 03/25/08 11:21:30  03/25/08 21:21:30  krbtgt/
> > CORP.FC.LO... at CORP.FC.LOCAL
> >         renew until 03/26/08 11:21:30, Etype (skey, tkt): DES cbc mode
> > with RSA-MD5, ArcFour with HMAC/md5
>
> > The kvno in the keytab looks like it matches the ticket being given by
> > AD:
> > root at fc650dr:/usr/www/kerberos/bin # klist -kt fc650drkeytabv4
> > Keytab name: FILE:fc650drkeytabv4
> > KVNO Timestamp         Principal
> > ---- -----------------
> > --------------------------------------------------------
> >    2 12/31/69 20:00:00 HTTP/fc650dr.fc.fujitsu.... at CORP.FC.LOCAL
>
> > root at fc650dr:/usr/www/kerberos/bin # kvno HTTP/fc650dr.fc.fujitsu.com
> > HTTP/fc650dr.fc.fujitsu.... at CORP.FC.LOCAL: kvno = 2
>
> > I tried creating a keytab on the Solaris machine using ktutil with
> > this command:
> > addent -password -p HTTP/fc650dr.fc.fujitsu.... at CORP.FC.LOCAL -k 2 -e
> > des-cbc-md5
>
> > but the result is the same as above when testing with this keytab
> > also.
>
> > Any idea what can be wrong here?  Any ideas much appreciated.
>
> > Thanks.
>
> > ________________________________________________
> > Kerberos mailing list           Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
>   Douglas E. Engert  <DEEng... at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444

That could be the case.

But what about the fact mentioned that I created a keytab using ktutil
addent as shown on the Solaris box, supplying the password, and I
still get the same result?  But when I kinit with this same password I
get the ticket?



More information about the Kerberos mailing list