ktpass troubles

Douglas E. Engert deengert at anl.gov
Fri Dec 11 09:57:56 EST 2009 


Vitaly Tskhovrebov wrote:
> It's work now. Dunno, what was wrong.
> I just came to work on the morning.


AD takes its time replicating the entries, that could
be the issue. As you might be looking at different DCs
that have not been updated.  So when you are updating,
computer accounts and using ktpass you may have to wait a bit.

We don't use ktpass but msktutil instead:

http://download.systemimager.org/~finley/msktutil/

(If you use this, If the service name is not lowercase,
use the --computer-name option rather then letting it
derive the name.)


> 
> --
> Vitaly.
> 
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Thursday, December 10, 2009 10:27 PM
> To: Vitaly Tskhovrebov
> Cc: kerberos at mit.edu
> Subject: Re: ktpass troubles
> 
> 
> 
> Vitaly Tskhovrebov wrote:
>> Hi.
>>
>>  
>>
>> I'm trying to use krb authentication on linux box with apache.
>>
>>  
>>
>> I've done the following on W2K3 PDC:
>>
>>  
>>
>> ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
>> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>>
>> Successfully mapped  host/web.company.ru at COMPANY.RU to  web_http.
>>
>> WARNING: pType and account type do not match. This might cause  problems.
>>
>> Key created.
>>
>> Output keytab to host.keytab:
>>
>> Keytab version: 0x502
>>
>> keysize 75  host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>>
>> o 1 etype 0x17 (RC4-HMAC) keylength 16
> (0xeddf60686996d8ba2d81cfd15da42bd3)
>>  
>>
>> the same for 
>>
>> ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
>> D\web_http -out http.keytab -kvno 1
>>
>>  
> 
> You may have updated the msDS-keyVersionNumber in the DC.
> Use ldap or some MS tool like ADSI-edit to look for this attribute
> on the web_http account.
> Also look at the userPrincipalName, ServicePrincipalName and
> sAMAccountName attributes too.
> 
>> and then
>>
>> setspn.exe -A HTTP/web.company.ru web
> 
> Should this be web_http? Did it work?
> 
> You should also consider using two separate accounts and two separate
> keytab files, one for host/... and oner for HTTP/... Each would
> then have its own key.
> 
> 
>>  
>>
>> after that I made several steps on linux box making a keytab for apache,
> and
>> trying to test:
>>
>>  
>>
>> ktutil: read_kt host.keytab
>>
>> ktutil: read_kt http.keytab
>>
>> ktutil: list
>>
>> slot KVNO Principal
>>
>> ---- ---- ------------------------------------
>>
>>    1    1       host/web.company.ru at COMPANY.RU
>>
>>    2    1       HTTP/web.company.ru at COMPANY.RU
>>
>> ktutil: write_kt apache.keytab
>>
>>  
>>
>>  
>>
>> kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU
>>
>> # IT'S OK!
>>
>>  
>>
>> kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU
>>
>> kinit(v5): Client not found in Kerberos database while getting initial
>> credentials
>>
>>  
>>
>> Ethereal told that krb5kdc_err_s_principal_unknown.
>>
>>  
>>
>> Where I'm wrong?
>>
>>  
>>
>> --
>>
>> Vitaly.
>>
>>  
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list