ktpass troubles
Douglas E. Engert
deengert at anl.gov
Fri Dec 11 09:57:56 EST 2009
Vitaly Tskhovrebov wrote:
> It's work now. Dunno, what was wrong.
> I just came to work on the morning.
AD takes its time replicating the entries, that could
be the issue. As you might be looking at different DCs
that have not been updated. So when you are updating,
computer accounts and using ktpass you may have to wait a bit.
We don't use ktpass but msktutil instead:
http://download.systemimager.org/~finley/msktutil/
(If you use this, If the service name is not lowercase,
use the --computer-name option rather then letting it
derive the name.)
>
> --
> Vitaly.
>
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Thursday, December 10, 2009 10:27 PM
> To: Vitaly Tskhovrebov
> Cc: kerberos at mit.edu
> Subject: Re: ktpass troubles
>
>
>
> Vitaly Tskhovrebov wrote:
>> Hi.
>>
>>
>>
>> I'm trying to use krb authentication on linux box with apache.
>>
>>
>>
>> I've done the following on W2K3 PDC:
>>
>>
>>
>> ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
>> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>>
>> Successfully mapped host/web.company.ru at COMPANY.RU to web_http.
>>
>> WARNING: pType and account type do not match. This might cause problems.
>>
>> Key created.
>>
>> Output keytab to host.keytab:
>>
>> Keytab version: 0x502
>>
>> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>>
>> o 1 etype 0x17 (RC4-HMAC) keylength 16
> (0xeddf60686996d8ba2d81cfd15da42bd3)
>>
>>
>> the same for
>>
>> ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
>> D\web_http -out http.keytab -kvno 1
>>
>>
>
> You may have updated the msDS-keyVersionNumber in the DC.
> Use ldap or some MS tool like ADSI-edit to look for this attribute
> on the web_http account.
> Also look at the userPrincipalName, ServicePrincipalName and
> sAMAccountName attributes too.
>
>> and then
>>
>> setspn.exe -A HTTP/web.company.ru web
>
> Should this be web_http? Did it work?
>
> You should also consider using two separate accounts and two separate
> keytab files, one for host/... and oner for HTTP/... Each would
> then have its own key.
>
>
>>
>>
>> after that I made several steps on linux box making a keytab for apache,
> and
>> trying to test:
>>
>>
>>
>> ktutil: read_kt host.keytab
>>
>> ktutil: read_kt http.keytab
>>
>> ktutil: list
>>
>> slot KVNO Principal
>>
>> ---- ---- ------------------------------------
>>
>> 1 1 host/web.company.ru at COMPANY.RU
>>
>> 2 1 HTTP/web.company.ru at COMPANY.RU
>>
>> ktutil: write_kt apache.keytab
>>
>>
>>
>>
>>
>> kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU
>>
>> # IT'S OK!
>>
>>
>>
>> kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU
>>
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
>>
>>
>>
>> Ethereal told that krb5kdc_err_s_principal_unknown.
>>
>>
>>
>> Where I'm wrong?
>>
>>
>>
>> --
>>
>> Vitaly.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list