Aqcuiring a TGT for a host/ principal using Active Directory
Wilper, Ross A
rwilper at stanford.edu
Wed Apr 8 12:00:56 EDT 2009
There is a bug in Windows 2008 KDC that prevents any principal name with a "/" in it from authenticating from a non-Windows client.
KB Article Number(s): 951191
This is a public hotfix, but you may need to contact Microsoft to get the hotfix. The hotfix is included in SP2.
-Ross
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of manu
Sent: Wednesday, April 08, 2009 5:52 AM
To: kerberos at mit.edu
Subject: Re: Aqcuiring a TGT for a host/ principal using Active Directory
Hello,
You can try:
kinit -kt computerA.keytab COMPUTERA\$
For principals like host/..., cifs/..., HTTP/... created by default with
every computer account, AD only allows TS.
If you want a TGT you need to use the "real" principal name: COMPUTERA\$.
I don't think the step with ktpass is required.
Hoping this will help,
Best regards,
Emmanuel
John Hefferman a écrit :
> Dear All,
>
> I'm not sure if this is the correct place to ask this question - it
> involves the MIT kinit program, but also Active Directory as the KDC
> (Server 2008).
>
> The problem I am experiencing, is that I can't seem to 'kinit -k' using
> an spn of an instance type such as host/ when using an AD domain
> controller.
>
> The procedure is as follows:
> - I create a new account in active directory, such as 'computerA'
> - I run ktpass (or msktutil) to associate a host/ principal name with
> this account (host/computerA.fqdn at REALM) and create a keytab
> - I securely transfer this keytab to the Linux computer (if msktutil was
> not used)
> - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM
>
> Kinit returns: kinit(v5): Client not found in Kerberos database while
> getting initial credentials
>
> Some additional information:
>
> - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA
> -pass +rndPass -out computerA.keytab
>
> - Name specified through -princ argument is definitely associated with
> computerA (checked in computerA's attribute list
>
> - kvno works against host/computerA.fqdn at REALM
>
> - computerA.keytab contains key and principal name specified through
> -princ
>
> - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory
> event viewer logs (on the Domain Controller) shows the 'Account Name'
> that is attempting to acquire the TGT as 'host', instead of
> host/.... at ... It appears to omit anything that comes after the forward
> slash.
>
> - I've tried ktpass with all encryption types - same result.
>
> - Same result with user or computer objects in AD.
>
> - Same result when both -ptype's are specified when running ktpass
>
> Just wondering if anyone had had any experience with TGT acquisition and
> principal names containing forward slashes. No problem if this is the
> wrong place to ask. Maybe it's not even possible to do this with AD, but
> I doubt that's the case.
>
> Thanks in advance for any help,
>
> John
>
>
>
>
>
>
>
>
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list