msktutil problem with Windows 2008

Douglas E. Engert deengert at anl.gov
Wed Sep 2 10:40:31 EDT 2009


Markus Moeller wrote:
> I found the problem with msktutil. It uses the wrong salt. For a computer 
> name with uppercase parts (e.g. squid-HTTP) it uses 
> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of 
> DOM.LOCALhostsquid-http.dom.local.

I would like to reword this...

Windows AD appears to generate a salt for computer accounts using the
concatenation of:
    uppercase(domain) "host" lowercase(SAMAccountName) "." lowercase(domain)

But msktutil was using:
    uppercase(domain) "host" SAMAccountName "." lowercase(domain)

So only accounts where the account name had mixed case would this be a problem.
The circumvention is it use msktutil --computername some-lowercase-name
i.e. always use lower case for the computer name.

Windows 2003 does the same thing. All of our computer accounts had been
lowercase, so we never ran across this problem.


> 
> Markus
> 
> 
> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
> news:mailman.35.1251548728.12456.kerberos at mit.edu...
>> Is it possible that Windows 2008 is maping HTTP principal to host 
>> principals ?
>>
>> With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my 
>> apache/squid module created an error  "Decrypt integrity check failed" and 
>> a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt 
>> /etc/host.keytab host/fqdn works.
>>
>> When I remove the AD entry which msktutil created for HTTP/fqdn and leave 
>> the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn.  Now 
>> I used ktutil to create a HTTP keytab
>>
>> # ktutil
>> ktutil:  addent -key -p HTTP/centos.dom.local at DOM.LOCAL -k 2 -e 
>> aes256-cts-hmac-sha1-96
>> Key for HTTP/centos.dom.local at DOM.LOCAL (hex): 
>> 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
>> ktutil:  wkt  /etc/HTTP.keytab
>> ktutil:  quit
>>
>> I can use the HTTP. keytab with kinit and I can also use it now for 
>> apache/squid.
>>
>> It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a 
>> request for host/fqdn and ignores entries with a serviceprincipal set to 
>> HTTP/fqdn.
>>
>> Can anybody confirm that ? Oe what do I do wrong ?
>>
>> Thank you
>> Markus
>>
>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
>> news:h7b5a5$tb0$1 at ger.gmane.org...
>>> I was too quick. I get it to work with host/fqdn (e.g. kinit -kt
>>> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn.  I use
>>> AES-256 CTS mode with 96-bit SHA-1 HMAC.
>>>
>>> klist -ekt /etc/krb5.keytab
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Timestamp         Principal
>>> ---- ----------------- --------------------------------------------------------
>>>   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with
>>> HMAC/md5)
>>>   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>   3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>
>>> klist -e
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: host/centos.dom.local at DOM.LOCAL
>>>
>>> Valid starting     Expires            Service principal
>>> 08/29/09 21:48:32  08/30/09 07:47:42  krbtgt/DOM.LOCAL at DOM.LOCAL
>>>        renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode
>>> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>>>
>>>
>>>
>>> klist -ekt /etc/HTTP.keytab
>>> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
>>> KVNO Timestamp         Principal
>>> ---- ----------------- --------------------------------------------------------
>>>   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with
>>> HMAC/md5)
>>>   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>   2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode
>>> with 96-bit SHA-1 HMAC)
>>>
>>>
>>> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local
>>> kinit(v5): Preauthentication failed while getting initial credentials
>>>
>>> Markus
>>>
>>>
>>> "Markus Moeller" <huaraz at moeller.plus.com> wrote in message
>>> news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop...
>>>> Wolf-Agathon,
>>>>
>>>>   I did export the keytab, but I found out the Hotfix 951191 was not
>>>> installed on the 2008 DC.
>>>>
>>>> Markus
>>>>
>>>> ----- Original Message ----- 
>>>> From: "Wolf-Agathon Schaly" <schaly_wolf-agathon at arcor.de>
>>>> To: <huaraz at moeller.plus.com>; <kerberos at mit.edu>
>>>> Sent: Saturday, August 29, 2009 11:27 AM
>>>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 
>>>> 2008
>>>>
>>>>
>>>>> Howdy Markus
>>>>>
>>>>> Sound to me that you're trying to use a kaytab without expoting the key
>>>>> to
>>>>> your keytab file test.keytab
>>>>>
>>>>> am I right ?
>>>>>
>>>>> cheers
>>>>>  Wolf-Agathon
>>>>>
>>>>>
>>>>> ----- Original Nachricht ----
>>>>> Von:     Markus Moeller <huaraz at moeller.plus.com>
>>>>> An:      kerberos at mit.edu
>>>>> Datum:   29.08.2009 00:07
>>>>> Betreff: msktutil problem with Windows 2008
>>>>>
>>>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows
>>>>>> 2008,
>>>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get
>>>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need
>>>>>> to
>>>>>> be
>>>>>>
>>>>>> changed ?
>>>>>>
>>>>>> Thank you
>>>>>> Markus
>>>>>>
>>>>>>
>>>>>> ________________________________________________
>>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list