Key table entry not found-this time with Heimdal

Douglas E. Engert deengert at anl.gov
Mon Aug 30 11:50:23 EDT 2010



On 8/30/2010 5:15 AM, Afrodita Petrova wrote:
> Hello,
>
> this is the same setup like in my previous post from this month,but this
> time I'm using heimdal-clients.I have removed all of the MIT packages that I
> have installed: krb5-user,krb5-clients.
>
> I have Virtual Network configured to use Kerberos authentication.The
> setup is as follows:
> Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com;
> Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com;
> Windows XP Prof. (client) (FQDN) zdravko.lab.com;
>
> [Windows Server 2008 Settings]
>
> They are in the DNS lookup zone.I create one test user account for
> accessing the client machine under given
>
> domain(lab.com).The user name is "zdravko1" and its password never
> expires,and it's not going to be prompted for

This can be an ordinary domian user.

>
> changing.After that I create one "dummy" user which will be used for
> SPN(service principal name mapping to it).It's called
>

Its not a dummy account, it is an account for the service it called
a user account, but is more of a computer account.It holds the password
used it generate the keys on the fly and has the kvno stored as as the
msDS-KeyVersionNumber attribute. The account name must be unique across
the forest, so pick a naming convention, like <service>-<short host name>
like HTTP-debian.The account can have multiple SPNs, which means they all
share the same password and thus the same keys. (I recommend only one SPN
per account.)

> "http" and the same flags are used as in "zdravko1":
>
> -User cannot change password;
> -Password never expires;
> -This account supports AES 256 bit encryption;
>
> I continued with creating the keytab file:
>
> c:\>ktpass /princ HTTP/debian.lab.com at LAB.COM<http://lab.com/>  /mapuser
> http at LAB.COM
> /pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out http.keytab

I have not used the ktpass recently, using msktutil instead. But some
pitfalls from previous versions include:

The kvnos much match, (you point out below that they don't). This
can be caused by ktpass creating just the keytab, or if run by an admin,
it can create the keytab, and change the AD account password too.
That's when the randpass option makes sense.

So you must be careful about changing the account password, and
running ktpass. Note ktpass has a kvno option too, and could
be used to just create a keytab without updating the AD account.
This may be what happend, as the kvno is 3 in the keytab, but
the AD account was not updated.

>
> Keytab version: 0x502
> keysize 78 HTTP/debian.lab.com at LAB.COM<http://lab.com/>  ptype 1
> (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x......)
>
> The keytab is successfully created and I have checked it with the
> following command:c:\>setspn -L http->I have the service
>
> principal name:HTTP/debian.lab.com registered to it.
> I copy the "http.keytab" file via pscp to the Debian box in
> /etc/apache2/keytab/ directory.
>
> [Debian 5.0 Settings]
>
> In /etc/hosts file in Debian I've deleted the "127.0.0.1" line and
> replaced it with:"192.168.100.103 debian.lab.com debian";
> 192.168.100.103 is the linux box's IP.
>
> In /etc/resolf.conf file I have made the following changes:
> domain lab.com
> search lab.com
> nameserver 192.168.100.102
> 192.168.100.102 is the DNS's IP.
>
> The packages versions are the following:
> heimdal-clients:1.2.dfsg.1-2.1;
> libapache2-mod-auth-kerb:5.3-5;
>
> The following lines will be from /etc/krb5.conf :
>
> [libdefaults]
> default_realm = LAB.COM<http://lab.com/>
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> permitted_enctypes = aes256-cts-hmac-sha1-96
>
> [realms]
> LAB.COM<http://lab.com/>  = {
> kdc = 192.168.100.102
> admin_server = 192.168.100.102
> }
>
> [domain_realm]
> .lab.com = LAB.COM<http://lab.com/>
> lab.com = LAB.COM<http://lab.com/>
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> The following lines will be from /etc/apache2/sites-enabled/000-default
>
> <VirtualHost *:80>
>        ServerAdmin webmaster at localhost
>
>        DocumentRoot
> <Directory /var/www/>
> AuthType Kerberos
> KrbMethodNegotiate on
> KrbMethodK5Passwd off
> KrbAuthRealms LAB.COM<http://lab.com/>
> Krb5Keytab /etc/apache2/keytab/http.keytab
> KrbVerifyKDC on
> KrbServiceName Any
> AuthName "Kerberos Login"
> Require valid-user
> Options FollowSymLinks
> AllowOverride None
> </Directory>
>
> I did testing in Debian with the "kinit","klist -v" :
>
> *[debian:/]kinit zdravko1*
> zdravko1 at LAB.COM' S password:Debian26
> *[debian:/]klist*
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: zdravko1 at LAB.COM
>
>   Issued           Expires          Principal
> Aug 27 11:53:02  Aug 27 21:53:01  krbtgt/LAB.COM
> <http://lab.com/>@LAB.COM<http://lab.com/>
> *[debian:/]klist -v*
> Credentials cashe: FILE:/tmp/krb5cc_0
>         Principal: zdravko1 at LAB.COM
>     Cache version: 4
>
> Server: krbtgt/LAB.COM<http://lab.com/>@LAB.COM<http://lab.com/>
> Client: zdravko1 at LAB.COM
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 2(why is this 2,when upon
> creation with the "ktpass" command,the kvno was 3 ?!?)
> Ticket length: 977
> Auth time:  Aug 27 12:06:34 2010
> End time:   Aug 27 22:06:24 2010
> Ticket flags: initial,pre-authenticated
> Addresses: addressless
>
>
>
> I'm logged in as root,the keytab file is readable by root,so is the
> apache process.After I log into my client machine(XP)
> with the "zdravko1" user,I setup the IExplorer using the Achim's
> tutorial http://www.grolmsnet.de/kerbtut/<http://www.grolmsnet.de/kerbtut/).The>
> The
> error that is
> occurring when I try to access http://debian.lab.com is Authorization
> Required(401).
> The kerbtray activated on my client shows that the tickets that are
> received from the server are encrypted with ArcFour(RC4)
> encryption and that the etype=0.
> Nothing matches with my setup.There is no trace of AES256-SHA1
> encryption mechanism.The Apache /var/log/apache2/error.log
> writes the following lines:
>
> [debug]src/mod_auth_kerb.c(1579):[client 192.168.100.126]
> kerb_authenticate_user entered with user (NULL) and auth_type
> Kerberos
> [debug]mod_deflate.c(615):[client 192.168.100.126] Zlib: Compressed
> 594 to 399 : URL /
> [debug]src/mod_auth_kerb.c(1579): [client 192.168.100.126]
> kerb_authenticate_user entered with user (NULL) and auth_type
> Kerberos
> [debug]src/mod_auth_kerb.c(1407): [client 192.168.100.126] Verifying
> client data using KRB5 GSS-API
> [debug]src/mod_auth_kerb.c(1423): [client 192.168.100.126]
> Verification returned code 851968
> [error] [client 192.168.100.126] gss_accept_sec_context() failed:
> Unspecified GSS failure. Minor code may provide more
> information (Key table entry not found)
> [debug]mod_deflate.c(615):[client 192.168.100.126] Zlib:Compressed 594
> to 399 : URL /
>
> So...I have two questions:
>
> Why does the TGT have key version number(kvno) different from the
> keytab file that I created 2!=3....

Start over by removing the account and keytab files. Run the create
account commands, and look at the msDS-KeyVersionNumber.

Run the ktpass as the admin, then look st the KVNO in the keytab
as well as the msDS-KeyVersionNumber. They should both match.

> and
> Is this the reason for the above output from the error.log?

Yes, Key table entry not found.

>
>
>
> Regards.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list