ktpass troubles

Vitaly Tskhovrebov Vitaly.Tskhovrebov at exigenservices.com
Fri Dec 11 03:00:05 EST 2009


It's work now. Dunno, what was wrong.
I just came to work on the morning.

--
Vitaly.


-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Thursday, December 10, 2009 10:27 PM
To: Vitaly Tskhovrebov
Cc: kerberos at mit.edu
Subject: Re: ktpass troubles



Vitaly Tskhovrebov wrote:
> Hi.
> 
>  
> 
> I'm trying to use krb authentication on linux box with apache.
> 
>  
> 
> I've done the following on W2K3 PDC:
> 
>  
> 
> ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
> 
> Successfully mapped  host/web.company.ru at COMPANY.RU to  web_http.
> 
> WARNING: pType and account type do not match. This might cause  problems.
> 
> Key created.
> 
> Output keytab to host.keytab:
> 
> Keytab version: 0x502
> 
> keysize 75  host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
> 
> o 1 etype 0x17 (RC4-HMAC) keylength 16
(0xeddf60686996d8ba2d81cfd15da42bd3)
> 
>  
> 
> the same for 
> 
> ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
> D\web_http -out http.keytab -kvno 1
> 
>  

You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.

> 
> and then
> 
> setspn.exe -A HTTP/web.company.ru web

Should this be web_http? Did it work?

You should also consider using two separate accounts and two separate
keytab files, one for host/... and oner for HTTP/... Each would
then have its own key.


> 
>  
> 
> after that I made several steps on linux box making a keytab for apache,
and
> trying to test:
> 
>  
> 
> ktutil: read_kt host.keytab
> 
> ktutil: read_kt http.keytab
> 
> ktutil: list
> 
> slot KVNO Principal
> 
> ---- ---- ------------------------------------
> 
>    1    1       host/web.company.ru at COMPANY.RU
> 
>    2    1       HTTP/web.company.ru at COMPANY.RU
> 
> ktutil: write_kt apache.keytab
> 
>  
> 
>  
> 
> kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU
> 
> # IT'S OK!
> 
>  
> 
> kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU
> 
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
> 
>  
> 
> Ethereal told that krb5kdc_err_s_principal_unknown.
> 
>  
> 
> Where I'm wrong?
> 
>  
> 
> --
> 
> Vitaly.
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3532 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091211/3d42cf9e/attachment.bin


More information about the Kerberos mailing list