Aqcuiring a TGT for a host/ principal using Active Directory

Wilper, Ross A rwilper at stanford.edu
Wed Apr 8 12:00:56 EDT 2009


There is a bug in Windows 2008 KDC that prevents any principal name with a "/" in it from authenticating from a non-Windows client. 

KB Article Number(s): 951191

This is a public hotfix, but you may need to contact Microsoft to get the hotfix. The hotfix is included in SP2.

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of manu
Sent: Wednesday, April 08, 2009 5:52 AM
To: kerberos at mit.edu
Subject: Re: Aqcuiring a TGT for a host/ principal using Active Directory

Hello,
You can try:
kinit -kt computerA.keytab COMPUTERA\$
For principals like host/..., cifs/..., HTTP/... created by default with 
every computer account, AD only allows TS.
If you want a TGT you need to use the "real" principal name: COMPUTERA\$.
I don't think the step with ktpass is required.
Hoping this will help,
Best regards,
Emmanuel

John Hefferman a écrit :
> Dear All,
> 
> I'm not sure if this is the correct place to ask this question - it
> involves the MIT kinit program, but also Active Directory as the KDC
> (Server 2008).
> 
> The problem I am experiencing, is that I can't seem to 'kinit -k' using
> an spn of an instance type such as host/ when using an AD domain
> controller. 
> 
> The procedure is as follows:
> - I create a new account in active directory, such as 'computerA'
> - I run ktpass (or msktutil) to associate a host/ principal name with
> this account (host/computerA.fqdn at REALM) and create a keytab
> - I securely transfer this keytab to the Linux computer (if msktutil was
> not used)
> - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM 
> 
> Kinit returns: kinit(v5): Client not found in Kerberos database while
> getting initial credentials
> 
> Some additional information:
> 
>  - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
> -pass +rndPass -out computerA.keytab
> 
>  - Name specified through -princ argument is definitely associated with
> computerA (checked in computerA's attribute list
> 
>  - kvno works against host/computerA.fqdn at REALM
> 
>  - computerA.keytab contains key and principal name specified through
> -princ
> 
>  - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory
> event viewer logs (on the Domain Controller) shows the 'Account Name'
> that is attempting to acquire the TGT as 'host', instead of
> host/.... at ... It appears to omit anything that comes after the forward
> slash.
> 
>  - I've tried ktpass with all encryption types - same result.
> 
>  - Same result with user or computer objects in AD.
> 
>  - Same result when both -ptype's are specified when running ktpass
> 
> Just wondering if anyone had had any experience with TGT acquisition and
> principal names containing forward slashes. No problem if this is the
> wrong place to ask. Maybe it's not even possible to do this with AD, but
> I doubt that's the case.
> 
> Thanks in advance for any help,
> 
> John
> 
> 
> 
> 
> 
> 
> 
> 

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list