2003 R2 AD servicePrincipalName issue

Alon Bar-Lev alon.barlev at gmail.com
Wed Nov 9 02:46:03 EST 2011 

0. Delete everything you did from active directory
Computer spn and everything.

1. Make sure active directory can resolve and reverse resolve your server.
ping server.xxx.com
ping -a ip.a.dd.res

2. Edit /etc/krb5.conf
---
[libdefaults]
        default_realm = XXX.COM
        forwardable = true

[realms]

[domain_realm]

[logging]
---

3. Install samba

4. Edit /etc/smb.conf
Modify:
        workgroup = XXX
        security = ads
        kerberos method = system keytab
        client use spnego = yes
        realm = XXX.COM
        local master = no

5. Run:
# net ads join -U Administrator
# net ads testjoin
# net ads keytab create -U Administrator
# net ads keytab add HTTP -U Administrator

6. Allow apache access keytab
chgrp apache /etc/krb5.keytab
chmod g+r /etc/krb5.keytab

7. Configure mod_auth_kerb
---
        AuthName "Kerberos Login"
        AuthType Kerberos
        Krb5Keytab /etc/krb5.keytab
        KrbAuthRealm XXX.COM
---

Good luck!

2011/11/9 Gnädinger Ralf <ralf.gnaedinger at joma-polytec.de>
>
> Hi all,
>
> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.
>
> After I configured Kerberos on my linux box I am able to get a ticket using kinit username.
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: sysman at JOMA.DE
>
> Valid starting     Expires            Service principal
> 11/09/11 07:51:29  11/09/11 17:51:17  krbtgt/JOMA.DE at JOMA.DE
>        renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>
> Then I created a computer account and added the service principal names like this in our AD
>
> #setspn -R jp-sys8
> #setspn -A HTTP/jp-sys8.joma.de jp-sys8
> #setspn -L jp-sys8
>
> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
>    HOST/jp-sys8.joma.de
>    HOST/jp-sys8
>    HTTP/jp-sys8.joma.de
>
> Now when I use kvno on my linux box it is possible to get the version like this
>
> # kvno HOST/jp-sys8
> HOST/jp-sys8 at JOMA.DE: kvno = 2
>
> but if I try HOST/jp-sys8.joma.de it`s not working...
>
> # kvno HOST/jp-sys8.joma.de
> kvno: Server not found in Kerberos database while getting credentials for HOST/jp-sys8.joma.de at JOMA.DE
>
> When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.
>
> Is there anything i`ve missed?
>
> Thanks
>
> Ralf
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list