Aqcuiring a TGT for a host/ principal using Active Directory
John Hefferman
john.hefferman at cern.ch
Wed Apr 8 05:52:45 EDT 2009
Dear All,
I'm not sure if this is the correct place to ask this question - it
involves the MIT kinit program, but also Active Directory as the KDC
(Server 2008).
The problem I am experiencing, is that I can't seem to 'kinit -k' using
an spn of an instance type such as host/ when using an AD domain
controller.
The procedure is as follows:
- I create a new account in active directory, such as 'computerA'
- I run ktpass (or msktutil) to associate a host/ principal name with
this account (host/computerA.fqdn at REALM) and create a keytab
- I securely transfer this keytab to the Linux computer (if msktutil was
not used)
- I run kinit -kt computerA.keytab host/computerA.fqdn at REALM
Kinit returns: kinit(v5): Client not found in Kerberos database while
getting initial credentials
Some additional information:
- Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
-pass +rndPass -out computerA.keytab
- Name specified through -princ argument is definitely associated with
computerA (checked in computerA's attribute list
- kvno works against host/computerA.fqdn at REALM
- computerA.keytab contains key and principal name specified through
-princ
- when kinit -k host/computerA.fqdn at REALM is executed, Active Directory
event viewer logs (on the Domain Controller) shows the 'Account Name'
that is attempting to acquire the TGT as 'host', instead of
host/.... at ... It appears to omit anything that comes after the forward
slash.
- I've tried ktpass with all encryption types - same result.
- Same result with user or computer objects in AD.
- Same result when both -ptype's are specified when running ktpass
Just wondering if anyone had had any experience with TGT acquisition and
principal names containing forward slashes. No problem if this is the
wrong place to ask. Maybe it's not even possible to do this with AD, but
I doubt that's the case.
Thanks in advance for any help,
John
More information about the Kerberos
mailing list