ktpass troubles
Vitaly Tskhovrebov
Vitaly.Tskhovrebov at exigenservices.com
Thu Dec 10 09:46:28 EST 2009
Hi.
I'm trying to use krb authentication on linux box with apache.
I've done the following on W2K3 PDC:
ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
Successfully mapped host/web.company.ru at COMPANY.RU to web_http.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to host.keytab:
Keytab version: 0x502
keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
o 1 etype 0x17 (RC4-HMAC) keylength 16 (0xeddf60686996d8ba2d81cfd15da42bd3)
the same for
ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
D\web_http -out http.keytab -kvno 1
and then
setspn.exe -A HTTP/web.company.ru web
after that I made several steps on linux box making a keytab for apache, and
trying to test:
ktutil: read_kt host.keytab
ktutil: read_kt http.keytab
ktutil: list
slot KVNO Principal
---- ---- ------------------------------------
1 1 host/web.company.ru at COMPANY.RU
2 1 HTTP/web.company.ru at COMPANY.RU
ktutil: write_kt apache.keytab
kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU
# IT'S OK!
kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU
kinit(v5): Client not found in Kerberos database while getting initial
credentials
Ethereal told that krb5kdc_err_s_principal_unknown.
Where I'm wrong?
--
Vitaly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3532 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091210/f231c082/attachment.bin
More information about the Kerberos
mailing list