kerberos tickets and the SPNs

Douglas E. Engert deengert at anl.gov
Wed May 6 15:33:17 EDT 2009 

Windows treats principal names as case insensitive.
Kerberos treats them as case sensitive.

Normally Kerberos host/hostname at REALM has "host" in lower case.
So why is Samba net ADS join is using upper case is not clear.

If the net ads join adds the SPN in uppercase, then the ktpass
with lower case, it will work, as windows is case insensitive
and the SPN already exists.

You could try changing the SPN to lower case.


ravi channavajhala wrote:
> I'm setting up a Solaris 10 server as a test samba server with AD
> authentication.  I'm running into a little bit of issue with Kerberos
> tickets.  The setup is as follows
> 
> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
> (shipped with the distro) and IMU on windows.  My LDAP client is working
> good and validates getent passwd <user> and can run ldaplist -l passwd
> <user> and ldapsearch, no issues.  My ldap autnetication is set to simple,
> with proxyDnuser.
> 
>  
> 
> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
> nsswitch.conf, ntp.conf perfectly.  The nsswitch is set to use 'files ldap'
> for both passwd and group and dns files for hosts.  On windows the IMU, UNIX
> attributes are set to the correct NIS domain.
> 
>  
> 
> I ran net ads join to successfully join the Solaris server into the AD,
> however net ads keytab create simply returns a new line without any errors.
> When I checked on windows, after net ADS join command, I see two service
> principals (SPN), the capitalization is intentional as this is how they
> appear when I run spnset hostname
> 
>  
> 
> HOST/HOSTNAME
> 
> HOST/hostname.domain.com (FQDN)
> 
>  
> 
> I also setup a service account name (user object) on Windows whose name is
> same as the hostname (computer object).  I generated the keytab file with
> 
>  
> 
> ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
> 
>  

So you have two accounts with the same SPN? (differing by case only?)
Or did you remove the net ads join created entry first?

> 
> I then ftped this file over to Solaris host and try to authenticate a user
> login via AD, I get 
> 
>  
> 
> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
> database
> 

Could be the case issue. krb5 is looking for "host"
>  
> 
> So, just for the heck of it I generated another krb5.keytab with the
> following
> 
>  
> 
> ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
> 
>  
> 
> Please note the HOST in capitals.  Now, I get this error testing with this
> keytab
> 
>  
> 
> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
> 
>  
> 
> Running PAM in debug mode didn't reveal anything specific other than the
> obvious.
> 

Wireshark could be used to see the network traffic between server and KDC.
This sounds like a case issue...

>  
> 
> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
> return properly.  I can add the SPNs forcibly with host/hostname.domain.com
> and host/hostname and try different combinations.  But..first I need to
> understand this behavior, anyone???
> 
>  
> 
>  
> 
>  
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list