Aqcuiring a TGT for a host/ principal using Active Directory

Srinivas Cheruku srinivas.cheruku at gmail.com
Wed Apr 8 06:19:30 EDT 2009


Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options.

e.g. 
- Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
-pass +rndPass "-ptype KRB5_NT_PRINCIPAL  -out computerA.keytab


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of John Hefferman
Sent: 08 April 2009 15:23
To: kerberos at mit.edu
Subject: Aqcuiring a TGT for a host/ principal using Active Directory

Dear All,

I'm not sure if this is the correct place to ask this question - it
involves the MIT kinit program, but also Active Directory as the KDC
(Server 2008).

The problem I am experiencing, is that I can't seem to 'kinit -k' using
an spn of an instance type such as host/ when using an AD domain
controller. 

The procedure is as follows:
- I create a new account in active directory, such as 'computerA'
- I run ktpass (or msktutil) to associate a host/ principal name with
this account (host/computerA.fqdn at REALM) and create a keytab
- I securely transfer this keytab to the Linux computer (if msktutil was
not used)
- I run kinit -kt computerA.keytab host/computerA.fqdn at REALM 

Kinit returns: kinit(v5): Client not found in Kerberos database while
getting initial credentials

Some additional information:

 - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
-pass +rndPass -out computerA.keytab

 - Name specified through -princ argument is definitely associated with
computerA (checked in computerA's attribute list

 - kvno works against host/computerA.fqdn at REALM

 - computerA.keytab contains key and principal name specified through
-princ

 - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory
event viewer logs (on the Domain Controller) shows the 'Account Name'
that is attempting to acquire the TGT as 'host', instead of
host/.... at ... It appears to omit anything that comes after the forward
slash.

 - I've tried ktpass with all encryption types - same result.

 - Same result with user or computer objects in AD.

 - Same result when both -ptype's are specified when running ktpass

Just wondering if anyone had had any experience with TGT acquisition and
principal names containing forward slashes. No problem if this is the
wrong place to ask. Maybe it's not even possible to do this with AD, but
I doubt that's the case.

Thanks in advance for any help,

John








________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list