msktutil problem with Windows 2008

Markus Moeller huaraz at moeller.plus.com
Sat Aug 29 08:24:16 EDT 2009 

Is it possible that Windows 2008 is maping HTTP principal to host principals 
?

With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my 
apache/squid module created an error  "Decrypt integrity check failed" and a 
kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt 
/etc/host.keytab host/fqdn works.

When I remove the AD entry which msktutil created for HTTP/fqdn and leave 
the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn.  Now I 
used ktutil to create a HTTP keytab

# ktutil
ktutil:  addent -key -p HTTP/centos.dom.local at DOM.LOCAL -k 2 -e 
aes256-cts-hmac-sha1-96
Key for HTTP/centos.dom.local at DOM.LOCAL (hex): 
3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
ktutil:  wkt  /etc/HTTP.keytab
ktutil:  quit

I can use the HTTP. keytab with kinit and I can also use it now for 
apache/squid.

It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a 
request for host/fqdn and ignores entries with a serviceprincipal set to 
HTTP/fqdn.

Can anybody confirm that ? Oe what do I do wrong ?

Thank you
Markus

"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:h7b5a5$tb0$1 at ger.gmane.org...
>I was too quick. I get it to work with host/fqdn (e.g. kinit -kt
> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn.  I use
> AES-256 CTS mode with 96-bit SHA-1 HMAC.
>
> klist -ekt /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with
> HMAC/md5)
>   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode
> with 96-bit SHA-1 HMAC)
>   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode
> with 96-bit SHA-1 HMAC)
>
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/centos.dom.local at DOM.LOCAL
>
> Valid starting     Expires            Service principal
> 08/29/09 21:48:32  08/30/09 07:47:42  krbtgt/DOM.LOCAL at DOM.LOCAL
>        renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode
> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>
>
>
> klist -ekt /etc/HTTP.keytab
> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with
> HMAC/md5)
>   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode
> with 96-bit SHA-1 HMAC)
>   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode
> with 96-bit SHA-1 HMAC)
>
>
> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
> kinit(v5): Preauthentication failed while getting initial credentials
>
> Markus
>
>
> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
> news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop...
>> Wolf-Agathon,
>>
>>   I did export the keytab, but I found out the Hotfix 951191 was not
>> installed on the 2008 DC.
>>
>> Markus
>>
>> ----- Original Message ----- 
>> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon at arcor.de>
>> To: <huaraz at moeller.plus.com>; <kerberos at mit.edu>
>> Sent: Saturday, August 29, 2009 11:27 AM
>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 
>> 2008
>>
>>
>>> Howdy Markus
>>>
>>> Sound to me that you're trying to use a kaytab without expoting the key
>>> to
>>> your keytab file test.keytab
>>>
>>> am I right ?
>>>
>>> cheers
>>>  Wolf-Agathon
>>>
>>>
>>> ----- Original Nachricht ----
>>> Von:     Markus Moeller <huaraz at moeller.plus.com>
>>> An:      kerberos at mit.edu
>>> Datum:   29.08.2009 00:07
>>> Betreff: msktutil problem with Windows 2008
>>>
>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>>> 2008,
>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need
>>>> to
>>>> be
>>>>
>>>> changed ?
>>>>
>>>> Thank you
>>>> Markus
>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list