kerberos tickets and the SPNs

Luke Howard lukeh at padl.com
Wed May 6 20:49:37 EDT 2009


FWIW MIT Kerberos 1.7 will address this.

-- Luke

On 07/05/2009, at 5:49 AM, Markus Moeller wrote:

>
> "Douglas E. Engert" <deengert at anl.gov> wrote in message
> news:mailman.17.1241638415.9729.kerberos at mit.edu...
>> Windows treats principal names as case insensitive.
>> Kerberos treats them as case sensitive.
>>
>> Normally Kerberos host/hostname at REALM has "host" in lower case.
>> So why is Samba net ADS join is using upper case is not clear.
>>
>> If the net ads join adds the SPN in uppercase, then the ktpass
>> with lower case, it will work, as windows is case insensitive
>> and the SPN already exists.
>>
>> You could try changing the SPN to lower case.
>>
>
> You could add a copy to the keytab with ktutil which has an  
> uppercase HOST
> e.g.
>
> # ktutil
> ktutil:   rkt /tmp/test.keytab
> ktutil:  l -k
> slot KVNO Principal
> ---- ----  
> ---------------------------------------------------------------------
>   1    3      host/opensuse11.suse.home at SUSE.HOME
> (0xd962b1ecc18a809eb57c4a031193623a)
> ktutil:  addent -key -p HOST/opensuse11.suse.home at SUSE.HOME -k 3 -e  
> rc4-hmac
> Key for HOST/opensuse11.suse.home at SUSE.HOME (hex):
> d962b1ecc18a809eb57c4a031193623a
> ktutil:  l -k
> slot KVNO Principal
> ---- ----  
> ---------------------------------------------------------------------
>   1    3      host/opensuse11.suse.home at SUSE.HOME
> (0xd962b1ecc18a809eb57c4a031193623a)
>   2    3      HOST/opensuse11.suse.home at SUSE.HOME
> (0xd962b1ecc18a809eb57c4a031193623a)
> ktutil:  wkt /tmp/new.keytab
> ktutil: quit
>
>
>>
>> ravi channavajhala wrote:
>>> I'm setting up a Solaris 10 server as a test samba server with AD
>>> authentication.  I'm running into a little bit of issue with  
>>> Kerberos
>>> tickets.  The setup is as follows
>>>
>>> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba,  
>>> Kerberos,
>>> LDAP
>>> (shipped with the distro) and IMU on windows.  My LDAP client is  
>>> working
>>> good and validates getent passwd <user> and can run ldaplist -l  
>>> passwd
>>> <user> and ldapsearch, no issues.  My ldap autnetication is set to
>>> simple,
>>> with proxyDnuser.
>>>
>>> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
>>> nsswitch.conf, ntp.conf perfectly.  The nsswitch is set to use  
>>> 'files
>>> ldap'
>>> for both passwd and group and dns files for hosts.  On windows the  
>>> IMU,
>>> UNIX
>>> attributes are set to the correct NIS domain.
>>>
>>> I ran net ads join to successfully join the Solaris server into  
>>> the AD,
>>> however net ads keytab create simply returns a new line without any
>>> errors.
>>> When I checked on windows, after net ADS join command, I see two  
>>> service
>>> principals (SPN), the capitalization is intentional as this is how  
>>> they
>>> appear when I run spnset hostname
>>>
>>> HOST/HOSTNAME
>>>
>>> HOST/hostname.domain.com (FQDN)
>>>
>>> I also setup a service account name (user object) on Windows whose  
>>> name
>>> is
>>> same as the hostname (computer object).  I generated the keytab  
>>> file with
>>>
>>> ktpass -princ host/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass
>>> password
>>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp 
>>> \krb5.keytab
>>>
>>>
>>
>> So you have two accounts with the same SPN? (differing by case only?)
>> Or did you remove the net ads join created entry first?
>>
>>>
>>> I then ftped this file over to Solaris host and try to  
>>> authenticate a
>>> user
>>> login via AD, I get PAM-KRB5 (auth): krb5_verify_init_creds failed:
>>> Server not found in Kerberos
>>> database
>>>
>>
>> Could be the case issue. krb5 is looking for "host"
>>> So, just for the heck of it I generated another krb5.keytab with the
>>> following
>>>
>>> ktpass -princ HOST/fqdn at REALM -mapuser DOMAIN\SERVICEACCT$ -pass
>>> password
>>> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp 
>>> \krb5.keytab
>>>
>>> Please note the HOST in capitals.  Now, I get this error testing  
>>> with
>>> this
>>> keytab
>>>
>>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not
>>> found
>>>
>>> Running PAM in debug mode didn't reveal anything specific other  
>>> than the
>>> obvious.
>>>
>>
>> Wireshark could be used to see the network traffic between server  
>> and KDC.
>> This sounds like a case issue...
>>
>>> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP
>>> servers
>>> return properly.  I can add the SPNs forcibly with
>>> host/hostname.domain.com
>>> and host/hostname and try different combinations.  But..first I  
>>> need to
>>> understand this behavior, anyone???
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> -- 
>>
>> Douglas E. Engert  <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--
www.padl.com | www.fghr.net




More information about the Kerberos mailing list