kerberos tickets and the SPNs

Markus Moeller huaraz at moeller.plus.com
Wed May 6 15:49:51 EDT 2009 

"Douglas E. Engert" <deengert at anl.gov> wrote in message 
news:mailman.17.1241638415.9729.kerberos at mit.edu...
> Windows treats principal names as case insensitive.
> Kerberos treats them as case sensitive.
>
> Normally Kerberos host/hostname at REALM has "host" in lower case.
> So why is Samba net ADS join is using upper case is not clear.
>
> If the net ads join adds the SPN in uppercase, then the ktpass
> with lower case, it will work, as windows is case insensitive
> and the SPN already exists.
>
> You could try changing the SPN to lower case.
>

You could add a copy to the keytab with ktutil which has an uppercase HOST 
e.g.

 # ktutil
ktutil:   rkt /tmp/test.keytab
ktutil:  l -k
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3      host/opensuse11.suse.home at SUSE.HOME 
(0xd962b1ecc18a809eb57c4a031193623a)
ktutil:  addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e rc4-hmac
Key for HOST/opensuse11.suse.home at SUSE.HOME (hex): 
d962b1ecc18a809eb57c4a031193623a
ktutil:  l -k
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3      host/opensuse11.suse.home at SUSE.HOME 
(0xd962b1ecc18a809eb57c4a031193623a)
   2    3      HOST/opensuse11.suse.home at SUSE.HOME 
(0xd962b1ecc18a809eb57c4a031193623a)
ktutil:  wkt /tmp/new.keytab
ktutil: quit


>
> ravi channavajhala wrote:
>> I'm setting up a Solaris 10 server as a test samba server with AD
>> authentication.  I'm running into a little bit of issue with Kerberos
>> tickets.  The setup is as follows
>>
>> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, 
>> LDAP
>> (shipped with the distro) and IMU on windows.  My LDAP client is working
>> good and validates getent passwd <user> and can run ldaplist -l passwd
>> <user> and ldapsearch, no issues.  My ldap autnetication is set to 
>> simple,
>> with proxyDnuser.
>>
>>  On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
>> nsswitch.conf, ntp.conf perfectly.  The nsswitch is set to use 'files 
>> ldap'
>> for both passwd and group and dns files for hosts.  On windows the IMU, 
>> UNIX
>> attributes are set to the correct NIS domain.
>>
>>  I ran net ads join to successfully join the Solaris server into the AD,
>> however net ads keytab create simply returns a new line without any 
>> errors.
>> When I checked on windows, after net ADS join command, I see two service
>> principals (SPN), the capitalization is intentional as this is how they
>> appear when I run spnset hostname
>>
>>  HOST/HOSTNAME
>>
>> HOST/hostname.domain.com (FQDN)
>>
>>  I also setup a service account name (user object) on Windows whose name 
>> is
>> same as the hostname (computer object).  I generated the keytab file with
>>
>>  ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass 
>> password
>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
>>
>>
>
> So you have two accounts with the same SPN? (differing by case only?)
> Or did you remove the net ads join created entry first?
>
>>
>> I then ftped this file over to Solaris host and try to authenticate a 
>> user
>> login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed: 
>> Server not found in Kerberos
>> database
>>
>
> Could be the case issue. krb5 is looking for "host"
>>  So, just for the heck of it I generated another krb5.keytab with the
>> following
>>
>>  ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass 
>> password
>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
>>
>>  Please note the HOST in capitals.  Now, I get this error testing with 
>> this
>> keytab
>>
>>  PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not 
>> found
>>
>>  Running PAM in debug mode didn't reveal anything specific other than the
>> obvious.
>>
>
> Wireshark could be used to see the network traffic between server and KDC.
> This sounds like a case issue...
>
>>  I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP 
>> servers
>> return properly.  I can add the SPNs forcibly with 
>> host/hostname.domain.com
>> and host/hostname and try different combinations.  But..first I need to
>> understand this behavior, anyone???
>>
>>  ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> -- 
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444

More information about the Kerberos mailing list