ktpass troubles
Vitaly Tskhovrebov
Vitaly.Tskhovrebov at exigenservices.com
Fri Dec 11 03:00:05 EST 2009
It's work now. Dunno, what was wrong.
I just came to work on the morning.
--
Vitaly.
-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov]
Sent: Thursday, December 10, 2009 10:27 PM
To: Vitaly Tskhovrebov
Cc: kerberos at mit.edu
Subject: Re: ktpass troubles
Vitaly Tskhovrebov wrote:
> Hi.
>
>
>
> I'm trying to use krb authentication on linux box with apache.
>
>
>
> I've done the following on W2K3 PDC:
>
>
>
> ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>
> Successfully mapped host/web.company.ru at COMPANY.RU to web_http.
>
> WARNING: pType and account type do not match. This might cause problems.
>
> Key created.
>
> Output keytab to host.keytab:
>
> Keytab version: 0x502
>
> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>
> o 1 etype 0x17 (RC4-HMAC) keylength 16
(0xeddf60686996d8ba2d81cfd15da42bd3)
>
>
>
> the same for
>
> ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
> D\web_http -out http.keytab -kvno 1
>
>
You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.
>
> and then
>
> setspn.exe -A HTTP/web.company.ru web
Should this be web_http? Did it work?
You should also consider using two separate accounts and two separate
keytab files, one for host/... and oner for HTTP/... Each would
then have its own key.
>
>
>
> after that I made several steps on linux box making a keytab for apache,
and
> trying to test:
>
>
>
> ktutil: read_kt host.keytab
>
> ktutil: read_kt http.keytab
>
> ktutil: list
>
> slot KVNO Principal
>
> ---- ---- ------------------------------------
>
> 1 1 host/web.company.ru at COMPANY.RU
>
> 2 1 HTTP/web.company.ru at COMPANY.RU
>
> ktutil: write_kt apache.keytab
>
>
>
>
>
> kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU
>
> # IT'S OK!
>
>
>
> kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU
>
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
>
> Ethereal told that krb5kdc_err_s_principal_unknown.
>
>
>
> Where I'm wrong?
>
>
>
> --
>
> Vitaly.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3532 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091211/3d42cf9e/attachment.bin
More information about the Kerberos
mailing list