Kerberos auth against AD, keytabs, and service principal names

kerberos@noopy.org kerberos at noopy.org
Mon Jul 20 15:44:05 EDT 2009 

Thanks for your message!

On Mon, Jul 20, 2009 at 3:23 PM, Michael B Allen<ioplex at gmail.com> wrote:
> On Mon, Jul 20, 2009 at 2:23 PM, <kerberos at noopy.org> wrote:
>> I've been able to use ktpass.exe on the Windows (2003R2) side to
>> create working keytabs for my NFSv4 environment.  I'd like to have
[snip]
>
> Ktpass sets the password on an account and not an SPN. SPNs are linked
> to an account. Meaning, each time you run ktpass.exe it invalidates
> whatever keytab you generated with a previous invocation of ktpass.exe
> so that's why it doesn't work.

I'm pretty sure I didn't mention that passwords were related to the
SPN, so I apologize if I was misleading.

>
> Ktpass is a very simple program and cannot be used for what you are doing.

This much I am beginning to understand.  :-)

> You need to generate a single keytab with multiple entries - one for
> each SPN. You can do this by setting the password on the service
> account to a known value and then using ktutil to create a keytab with
> multiple entries with principals for each SPN but with the same key.

Let's say for the sake of argument that I've already done this.

Scenario #1:
  - I set a known password for the account.
  - I set 2 SPNs for the account (host/host.fqdn, nfs/host.fqdn).
  - I *didn't* set a UPN for the account.
  - I hashed a keytab w/host and nfs principals.
  ** kinit fails in both cases and yes, I know the key is correct.

Scenario #2:
  - I set a known password for the account.
  - I set 2 SPNs for the account (host/host.fqdn, nfs/host.fqdn).
  - I *set* a UPN for the account (host/host.fqdn at REALM).
  - I hashed a keytab w/host and nfs principals.
  ** kinit works for host but NOT for nfs.

In the scenarios above, I believe the UPN is what's consulted in AD
and is done regardless of the contents of servicePrincipalName.  In
fact, it believe servicePrincipalName is consulted exactly not at all.

That was really the gist of my original message.

> Note that if you have PHP running somewhere there is a product called
> Plexcel (one installation free for up to 25 users) that can generate
> keytabs with an entry for each SPN in AD. The exact function is
> described here:

I will definitely try this as I am curious to know what it's doing --
and what works -- versus what I'm doing and what's not working for me.

-- 
K

More information about the Kerberos mailing list