Kerberos auth against AD, keytabs, and service principal names
Wolfgang
kiwuff at googlemail.com
Tue Aug 11 10:21:18 EDT 2009
On 20 Jul., 22:46, kerbe... at noopy.org wrote:
> On Mon, Jul 20, 2009 at 4:28 PM, John Jasen<jja... at realityfailure.org> wrote:
> > kerbe... at noopy.org wrote:
>
> >> So this means servicePrincipalName is effectively useless in AD for
> >> non-Windows systems, right -- in particular when you have X number of
> >> principals in a keytab but only the one that matches the UPN will
> >> work?
>
> > No. I asked questions along the same vein a while back. :
>
> > Apparently you should be doing a kinit -S
> > serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a
> > service ticket for the appropriate service.
>
> Ah ha! So this is the magic test I'd been misunderstanding.
>
> So now I can do the following and everything works in the way I'd hope:
>
> kinit -k -t /some/keytab princ/host.fqdn at REALM
> kinit -S otherprinc/host.fqdn at REALM myprinc at REALM
>
> Thanks everyone!
>
> (And yes, I agree that ktpass.exe isn't the right tool for this job.
> msktutil would seem to work nicely in an environment where one has
> admin access to AD.)
>
> --
> Nathan Patwardhan
> "There should be a dating service for unusual-in-a-good-way people."
> ~~ Anne Kadet -http://www.noopy.org/quotes/q.cgi?tag=annedating
There is another way to create the keytabs i prefer:
Using ktutil (on linux):
ktutil
ktutil: addent -password -p HTTP/host.fqdn at MY.REALM -k
<key_version_number> -e arcfour-hmac-md5
Password for HTTP/host.fqdn at MY.REALM:
ktutil: addent -password -p HTTP/host.fqdn at MY.REALM -k
<key_version_number> -e des-cbc-md5
Password for HTTP/host.fqdn at MY.REALM:
ktutil: wkt host.fqdn.keytab
ktutil: quit
klist -k -t host.fqdn.keytab shows the following:
Keytab name: FILE:host.fqdn.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 08/11/09 16:14:57 HTTP/host.fqdn at MY.REALM
2 08/11/09 16:14:57 HTTP/host.fqdn at MY.REALM
Of course, you have to set the ServicePrincipalName and
UserPrincipalName, too. I use adsiedit.msc for this, there you can
also get the right key version number for this Principal.
This way, you don't need to copy files around, don't have to worry
about the key version numbers, and you can put more Principals in one
keytab.
More information about the Kerberos
mailing list