trouble with msktutil and Windows 2008 AD

Douglas E. Engert deengert at anl.gov
Wed Mar 9 10:10:13 EST 2011 


On 3/8/2011 9:19 AM, Rohit Kumar Mehta wrote:
>    From reading this list, it seems like msktutil is a much better
> solution for managing Linux service principles in an AD than using
> KTPASS.EXE.  However, I seem to be having some difficulties.
>
> I set up a test AD with the domain TAD.ENGR.UCONN.EDU, and I'm trying to
> create some service principles for my test-nfs server.  So on my test
> Linux server (running Ubuntu Lucid), I downloaded msktutil from git (I
> believe version 0.4), compiled, did a kinit
> Administrator at TAD.ENGR.UCONN.EDU, and then tried to run msktutil.This
> is what I get:

If this is from
  http://fuhm.net/software/msktutil/
I have not tried it, but it says it is based on this version:
  http://download.systemimager.org/~finley/msktutil/
Which is what we are using.

>
> root at test-nfs:~/build/f/msktutil# ./msktutil --precreate --hostname
> test-nfs.tad.engr.uconn.edu -s host -s nfs --server 137.99.15.89 --verbose
>    -- init_password: Wiping the computer password structure
>    -- get_default_keytab: Obtaining the default keytab name:
> FILE:/etc/krb5.keytab
>    -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-mc2Qvi
>    -- reload: Reloading Kerberos Context
>    -- get_short_hostname: Determined short hostname: test-nfs
>    -- finalize_exec: SAM Account Name is: test-nfs$
>    -- try_user_creds: Checking if default ticket cache has tickets...
>    -- finalize_exec: Authenticated using method 4
>
>    -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=YES
>    -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=NO
> SASL/GSSAPI authentication started
> Error: ldap_sasl_interactive_bind_s failed (Local error)
> Error: ldap_connect failed
> -->  Is your kerberos ticket expired? You might try re-"kinit"ing.
>    -- ~KRB5Context: Destroying Kerberos Context
> root at test-nfs:~/build/f/msktutil#
>
> Looking at wireshark I see a bunch of errors like
> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.  It looks like msktutil is trying to
> connect get authorized for this service
> ldap/test-dc1.tad.engr.uconn.edu.  Given that Microsoft Active Directory
> provides LDAP.  I'm not sure why that is a problem.

I have never used the --precreate option.  But msktutil will need to be run
using a Kerberos ticket for an AD admin, as it needs to update AD. So you
need to run kinit before running msktutil. (After a keytab has been created,
and you are updaqting the keys, msktutil will try and use it first.)

>
> Am I doing anything obviously wrong?  If so I appreciate any help.  Thanks!
>
> Rohit
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list