ktpass troubles

Vitaly Tskhovrebov Vitaly.Tskhovrebov at exigenservices.com
Thu Dec 10 09:46:28 EST 2009


Hi.

 

I'm trying to use krb authentication on linux box with apache.

 

I've done the following on W2K3 PDC:

 

ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1

Successfully mapped  host/web.company.ru at COMPANY.RU to  web_http.

WARNING: pType and account type do not match. This might cause  problems.

Key created.

Output keytab to host.keytab:

Keytab version: 0x502

keysize 75  host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn

o 1 etype 0x17 (RC4-HMAC) keylength 16 (0xeddf60686996d8ba2d81cfd15da42bd3)

 

the same for 

ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
D\web_http -out http.keytab -kvno 1

 

and then

setspn.exe -A HTTP/web.company.ru web

 

after that I made several steps on linux box making a keytab for apache, and
trying to test:

 

ktutil: read_kt host.keytab

ktutil: read_kt http.keytab

ktutil: list

slot KVNO Principal

---- ---- ------------------------------------

   1    1       host/web.company.ru at COMPANY.RU

   2    1       HTTP/web.company.ru at COMPANY.RU

ktutil: write_kt apache.keytab

 

 

kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU

# IT'S OK!

 

kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU

kinit(v5): Client not found in Kerberos database while getting initial
credentials

 

Ethereal told that krb5kdc_err_s_principal_unknown.

 

Where I'm wrong?

 

--

Vitaly.

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3532 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091210/f231c082/attachment.bin


More information about the Kerberos mailing list