I think I may be getting incorrect tickets??

Jon Bowes jon.bowes at jackwills.com
Fri Sep 24 04:30:02 EDT 2010 

Here is my setup...

I have a Windows 2003 DC running active directory (dc.domain.com)
I have a Linux Apache web server that I wish to allow access to. (apache.domain.com)
I have installed mod_auth_kerb

I found an excellent tutorial here: http://www.grolmsnet.de/kerbtut/ which I followed, but keep running into the same problem.
Here is my /etc/krb5.conf file:
[libdefaults]
 default_realm = DOMAIN.COM

[domain_realm]
  apache.domain.com = DOMAIN.COM

[realms]
  DOMAIN.COM = {
    admin_server = dc.domain.com
    kdc = dc.domain.com
  }

Then, if I run kinit my.windows.login at DOMAIN.COM<mailto:my.windows.login at DOMAIN.COM> I get asked for my domain password which I enter.

I then run klist and get:
Default principal: my.windows.login at DOMAIN.COM<mailto:my.windows.login at DOMAIN.COM>
Service principal: krbtgt/DOMAIN.COM at DOMAIN.COM<mailto:krbtgt/DOMAIN.COM at DOMAIN.COM>

Is this correct??

I then generate my keytab:
C:\>ktpass -princ HTTP/apache.domain.com at DOMAIN.COM
-mapuser apachea
-crypto rc4-hmac-nt
-ptype KRB5_NT_SRV_HST
-pass longlongpassword -out c:\temp\apache.keytab

This has been copied to apache at /etc/krb5.keytab. The file is world readable, so apache should be able to read it no problem.

I then test my keytabfile:

kinit -k -t /etc/krb5.keytab HTTP/apache.domain.com
and get
kinit(v5): Client not found in Kerberos database while getting initial credentials

I can't get past this bit! Any ideas where I can look?
Additionally, I have used kerbtray.exe to check my tickets when I logon.
I seem to get 2 as follows:
DOMAIN.COM
  |_  host/dc.jackwills.com
  |_  krbtgt/DOMAIN.COM

I would appreciate any help that you guys can provide...

Jon


This email and its attachments are confidential and are intended solely for the use
of the individual(s) or entity to whom it is addressed. Any views or opinions
expressed are solely those of the author and do not necessarily represent those of
"Jack Wills Ltd". If you are not the intended recipient of this email and its
attachments, you must take no action based upon them, nor must you copy or show them
to anyone. Please contact the sender if you believe you have received this email in
error. This footnote also confirms that this email message has been swept for the
presence of computer viruses, but does not warrant that the message is virus free.

Jack Wills Ltd (3504842 England)
Registered Offices:
22 Fore Street
Salcombe
TQ8 8ET

More information about the Kerberos mailing list