kerberos tickets and the SPNs

ravi channavajhala ravi.channavajhala at dciera.com
Wed May 6 14:39:40 EDT 2009 

I'm setting up a Solaris 10 server as a test samba server with AD
authentication.  I'm running into a little bit of issue with Kerberos
tickets.  The setup is as follows

Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
(shipped with the distro) and IMU on windows.  My LDAP client is working
good and validates getent passwd <user> and can run ldaplist -l passwd
<user> and ldapsearch, no issues.  My ldap autnetication is set to simple,
with proxyDnuser.

 

On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
nsswitch.conf, ntp.conf perfectly.  The nsswitch is set to use 'files ldap'
for both passwd and group and dns files for hosts.  On windows the IMU, UNIX
attributes are set to the correct NIS domain.

 

I ran net ads join to successfully join the Solaris server into the AD,
however net ads keytab create simply returns a new line without any errors.
When I checked on windows, after net ADS join command, I see two service
principals (SPN), the capitalization is intentional as this is how they
appear when I run spnset hostname

 

HOST/HOSTNAME

HOST/hostname.domain.com (FQDN)

 

I also setup a service account name (user object) on Windows whose name is
same as the hostname (computer object).  I generated the keytab file with

 

ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab

 

I then ftped this file over to Solaris host and try to authenticate a user
login via AD, I get 

 

PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
database

 

So, just for the heck of it I generated another krb5.keytab with the
following

 

ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab

 

Please note the HOST in capitals.  Now, I get this error testing with this
keytab

 

PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found

 

Running PAM in debug mode didn't reveal anything specific other than the
obvious.

 

I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
return properly.  I can add the SPNs forcibly with host/hostname.domain.com
and host/hostname and try different combinations.  But..first I need to
understand this behavior, anyone???

More information about the Kerberos mailing list