Aqcuiring a TGT for a host/ principal using Active Directory

Wed Apr 8 08:21:46 EDT 2009

There can be possibly two reasons for it with my experiences .

1. Windows server version ( enterprise edition , SP version ) and support
tools version are incompatible.
    this is the case most of the times .Ktpass corrupts the mapping on
service accounts If it  is not correct ones.
    Please use update enterprise editions and support tools for SP2 and try
this again.

2. Windows server 2008  does not support  SPN 's by default for TGT .
    There is a patch available though .

Thanks

Nikhil

On Wed, Apr 8, 2009 at 5:41 PM, John Hefferman <john.hefferman at cern.ch>wrote:

> Hi,
>
> Thanks very much for the reply, but using the KRB5_NT_PRINCIPAL
> principal type does not seem have an effect.
>
> I still get the message 'kinit(v5): Client not found in Kerberos
> database while getting initial credentials' when running kinit -kt
> computerA.keytab host/computerA.fqdn at REALM.
>
> Thanks,
>
> John
>
> -----Original Message-----
> From: Srinivas Cheruku [mailto:srinivas.cheruku at gmail.com]
> Sent: 08 April 2009 12:20
> To: John Hefferman; kerberos at mit.edu
> Subject: RE: Aqcuiring a TGT for a host/ principal using Active
> Directory
>
> Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options.
>
> e.g.
> - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
> -pass +rndPass "-ptype KRB5_NT_PRINCIPAL  -out computerA.keytab
>
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf
> Of John Hefferman
> Sent: 08 April 2009 15:23
> To: kerberos at mit.edu
> Subject: Aqcuiring a TGT for a host/ principal using Active Directory
>
> Dear All,
>
> I'm not sure if this is the correct place to ask this question - it
> involves the MIT kinit program, but also Active Directory as the KDC
> (Server 2008).
>
> The problem I am experiencing, is that I can't seem to 'kinit -k' using
> an spn of an instance type such as host/ when using an AD domain
> controller.
>
> The procedure is as follows:
> - I create a new account in active directory, such as 'computerA'
> - I run ktpass (or msktutil) to associate a host/ principal name with
> this account (host/computerA.fqdn at REALM) and create a keytab
> - I securely transfer this keytab to the Linux computer (if msktutil was
> not used)
> - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM
>
> Kinit returns: kinit(v5): Client not found in Kerberos database while
> getting initial credentials
>
> Some additional information:
>
>  - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
> -pass +rndPass -out computerA.keytab
>
>  - Name specified through -princ argument is definitely associated with
> computerA (checked in computerA's attribute list
>
>  - kvno works against host/computerA.fqdn at REALM
>
>  - computerA.keytab contains key and principal name specified through
> -princ
>
>  - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory
> event viewer logs (on the Domain Controller) shows the 'Account Name'
> that is attempting to acquire the TGT as 'host', instead of
> host/.... at ... It appears to omit anything that comes after the forward
> slash.
>
>  - I've tried ktpass with all encryption types - same result.
>
>  - Same result with user or computer objects in AD.
>
>  - Same result when both -ptype's are specified when running ktpass
>
> Just wondering if anyone had had any experience with TGT acquisition and
> principal names containing forward slashes. No problem if this is the
> wrong place to ask. Maybe it's not even possible to do this with AD, but
> I doubt that's the case.
>
> Thanks in advance for any help,
>
> John
>
>
>
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>