second keytab for similar service (but different SPN/IP) breaks the first
Douglas E. Engert
deengert at anl.gov
Wed Jun 3 13:58:41 EDT 2009
Chris wrote:
> This is perhaps a little higher-level problem than Kerberos proper but
> I wanted to at least see if I was taking the correct approach as far
> as Kerberos is concerned.
>
> I have a service - it's a kerberized java webservice with a very
> specific function, and it does GSSAPI validation of client login
> requests, where the clients have obtained tickets to my service. It's
> working fine with either Microsoft AD or Apple Open Directory (MIT
> Kerberos) - basically I create an account for the service, create an
> SPN in the form servicename/ip-address at REALM, and then generate a
> keytab for the SPN which gets configured for JAAS on the service host
> machine.
ip-address? or hostname? Kerberos normally uses hostnames.
>
> What I can't seem to do with this approach is to generate keytabs for
> two service instances in the same realm, e.g. if two different
> departments each want their own deployment of my service. With the
> keytab tools included in both Microsfot AD and Apple Open Directory
> (MIT), just generating an additional keytab for a different SPN (but
> the same directory service account) breaks the authentication of the
> first one.
Use two different directory service accounts, one for each instance.
Follow some pattern for the account name like foo-host.
There is only one password on the account and it is used to generate
the key for all SPNs on the account.
>
> In step-by-step terms:
> - my service is called "fooservice", I create and AD or OD account
> called "fooservice"
> - I add an SPN for fooservice using this name plus the IP address and
> realm, e.g. "fooservice/ip-addr-1 at REALM"
> - I generate a keytab for this SPN and add it to fooservice running on
> ip-addr-1; everything is working, clients can authenticate
> - I add another SPN for fooservice because I want to run another
> fooservice on a different machine, "fooservice/ip-addr-2 at REALM"
> - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
> stops working (can no longer establish its own credentials based on
> keytab, & therefore can't accept client contexts). It seems to be
> actually generating the keytab file - not just adding an additional
> SPN - that does this. However I can at this point use the new keytab
> for the fooservice running on ip-addr-2.
>
> So it seems that with both Active Directory's Kerberos and Open
> Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> kerberized on different IP addresses against distinct SPN's associated
> with the same service account... but there are numerous examples on
> the web of this being done e.g. with a single "http" account and
> multiple "http/ip-addr..." SPN's for multiple web servers on your
> network.
>
> Am I right in thinking what I'm trying should be possible, and if so
> is there some nuance of generating the keytab that I'm not following
> that causes the first keytab to stop working?
>
> Many thanks.
> - Chris
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list