kerberos tickets and the SPNs
Ravi Channavajhala
ravi.channavajhala at dciera.com
Wed May 6 15:57:22 EDT 2009
On Thu, May 7, 2009 at 1:03 AM, Douglas E. Engert <deengert at anl.gov> wrote:
>
> Windows treats principal names as case insensitive.
> Kerberos treats them as case sensitive.
>
> Normally Kerberos host/hostname at REALM has "host" in lower case.
> So why is Samba net ADS join is using upper case is not clear.
Just to be sure, I did delete the computer object from AD and
re-creatd it from net ads, the SPNs appear again in the same way.
> If the net ads join adds the SPN in uppercase, then the ktpass
> with lower case, it will work, as windows is case insensitive
> and the SPN already exists.
>
> You could try changing the SPN to lower case.
I might as well add new SPNs with spnset -A option
>> HOST/HOSTNAME
>>
>> HOST/hostname.domain.com (FQDN)
>>
>
> So you have two accounts with the same SPN? (differing by case only?)
> Or did you remove the net ads join created entry first?
yeah but they are two different objects, one is a computer and the
other is a user. In the above case the two SPNs are for the computer
object only as indicated by the host. The SPN for user object appears
typically DOMAIN\USERNAME
>> I then ftped this file over to Solaris host and try to authenticate a user
>> login via AD, I get
>>
>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
>> database
>>
>
> Could be the case issue. krb5 is looking for "host"
Looks like it, as I get different error messages depending on how I
specify the ktpass -princ with either host or HOST.
>> Running PAM in debug mode didn't reveal anything specific other than the
>> obvious.
>
> Wireshark could be used to see the network traffic between server and KDC.
> This sounds like a case issue...
It sure is, but my problem is how to avoid manual work in case if
future server base is being built and I have to do a monkey boy's job
of checking SPNs and adding/removing... there must be a way out of
this. I got oodles of ldap traffic captured with snoop, which I will
look further.
More information about the Kerberos
mailing list