confusion with service principal names in Active Directory

Markus Moeller huaraz at moeller.plus.com
Mon Mar 30 15:57:02 EDT 2009 

"John Jasen" <jjasen at realityfailure.org> wrote in message 
news:49D0EE12.2070907 at realityfailure.org...
>
> Please forgive me if this is not the right venue.
>
> I seem to have not found the magic required to use kerberos service
> principal names on unix systems against an Active Directory server.
>
> In the one particular example, we're trying to use kerberized NFS, so
> the server daemon needs to be able to find nfs/fqdn at REALM.
>
> I can see the entries in the computer accounts servicePrincipalName
> field, but the various UNIX systems can't find them -- either on service
> initialization, or attempting kinit from commandline with the system 
> keytab.
>
> IE:
>
> klist -ke /etc/krb5.keytab | grep host
>
> 2 host/kernelpanic.example.com at EXAMPLE.REALM (DES cbc mode with CRC-32)
>
> [root at kernelpanic ~]# kinit host/kernelpanic.example.com -kt
> /etc/krb5.keytab
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> (same results if I do host/kernelpanic.example.com at EXAMPLE.REALM)
>
> This behavior holds true for OS X kerberos clients, Red Hat 4 and 5
> kerberos clients, and Solaris 10 kerberos clients. I can provide the
> versions if required.
>
> The AD server in question is Windows 2003 R2.
>
> The only way I've found around this is to set the userPrincipalName in
> AD to the service I really really need.
>
> ie: in the case above, userPrincipalName is set to
> nfs/kernelpanic.example.com at EXAMPLE.REALM. After doing that, I can kinit
> that service principal successfully, and the service dependent on it can
> also initialize correctly.
>
>>From my testing, using ktpass.exe to write a keytab file seems to pretty
> much automatically set the userPrincipalName to the last entry created.
> Unfortunately, if you have a multi-role server, this creates
> difficulties. (ie: trying to use http/hostname and sql/hostname).
>
> Is there a way around this that I've missed? An option either on the
> client side or the server side that I've missed?
>

You might want to use a tool like msktutil from Dan Perry 
http://dag.wieers.com/rpm/packages/msktutil/ to create your AD entry and 
keytab.

 1) kinit administrator at DOMAIN  ( or an account which has access to a newly 
created OU (e.g. OU=UnixKerberos).  You need to replace below CN=COMPUTERS 
with OU=UnixKerberos)
 2) msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k
/etc/krb5.keytab --computer-name <host>-host --upn host/<fqdn> --server
<domain controller>  --verbose
3) msktutil -c -b "CN=COMPUTERS" -s nfs/<fqdn> -h <fqdn> -k
/etc/krb5.keytab --computer-name <host>-nfs --upn nfs/<fqdn> --server
<domain controller>  --verbose


Regards
Markus

> -- 
> -- John E. Jasen (jjasen at realityfailure.org)
> -- No one will sorrow for me when I die, because those who would
> -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list