kerberos tickets and the SPNs

ravi channavajhala ravi.channavajhala at
Wed May 6 14:39:40 EDT 2009

I'm setting up a Solaris 10 server as a test samba server with AD
authentication.  I'm running into a little bit of issue with Kerberos
tickets.  The setup is as follows

Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
(shipped with the distro) and IMU on windows.  My LDAP client is working
good and validates getent passwd <user> and can run ldaplist -l passwd
<user> and ldapsearch, no issues.  My ldap autnetication is set to simple,
with proxyDnuser.


On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
nsswitch.conf, ntp.conf perfectly.  The nsswitch is set to use 'files ldap'
for both passwd and group and dns files for hosts.  On windows the IMU, UNIX
attributes are set to the correct NIS domain.


I ran net ads join to successfully join the Solaris server into the AD,
however net ads keytab create simply returns a new line without any errors.
When I checked on windows, after net ADS join command, I see two service
principals (SPN), the capitalization is intentional as this is how they
appear when I run spnset hostname





I also setup a service account name (user object) on Windows whose name is
same as the hostname (computer object).  I generated the keytab file with


ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab


I then ftped this file over to Solaris host and try to authenticate a user
login via AD, I get 


PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos


So, just for the heck of it I generated another krb5.keytab with the


ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab


Please note the HOST in capitals.  Now, I get this error testing with this


PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found


Running PAM in debug mode didn't reveal anything specific other than the


I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
return properly.  I can add the SPNs forcibly with host/
and host/hostname and try different combinations.  But..first I need to
understand this behavior, anyone???





More information about the Kerberos mailing list