2003 R2 AD servicePrincipalName issue
Alon Bar-Lev
alon.barlev at gmail.com
Wed Nov 9 02:46:03 EST 2011
0. Delete everything you did from active directory
Computer spn and everything.
1. Make sure active directory can resolve and reverse resolve your server.
ping server.xxx.com
ping -a ip.a.dd.res
2. Edit /etc/krb5.conf
---
[libdefaults]
default_realm = XXX.COM
forwardable = true
[realms]
[domain_realm]
[logging]
---
3. Install samba
4. Edit /etc/smb.conf
Modify:
workgroup = XXX
security = ads
kerberos method = system keytab
client use spnego = yes
realm = XXX.COM
local master = no
5. Run:
# net ads join -U Administrator
# net ads testjoin
# net ads keytab create -U Administrator
# net ads keytab add HTTP -U Administrator
6. Allow apache access keytab
chgrp apache /etc/krb5.keytab
chmod g+r /etc/krb5.keytab
7. Configure mod_auth_kerb
---
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm XXX.COM
---
Good luck!
2011/11/9 Gnädinger Ralf <ralf.gnaedinger at joma-polytec.de>
>
> Hi all,
>
> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.
>
> After I configured Kerberos on my linux box I am able to get a ticket using kinit username.
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: sysman at JOMA.DE
>
> Valid starting Expires Service principal
> 11/09/11 07:51:29 11/09/11 17:51:17 krbtgt/JOMA.DE at JOMA.DE
> renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
>
> Then I created a computer account and added the service principal names like this in our AD
>
> #setspn -R jp-sys8
> #setspn -A HTTP/jp-sys8.joma.de jp-sys8
> #setspn -L jp-sys8
>
> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
> HOST/jp-sys8.joma.de
> HOST/jp-sys8
> HTTP/jp-sys8.joma.de
>
> Now when I use kvno on my linux box it is possible to get the version like this
>
> # kvno HOST/jp-sys8
> HOST/jp-sys8 at JOMA.DE: kvno = 2
>
> but if I try HOST/jp-sys8.joma.de it`s not working...
>
> # kvno HOST/jp-sys8.joma.de
> kvno: Server not found in Kerberos database while getting credentials for HOST/jp-sys8.joma.de at JOMA.DE
>
> When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.
>
> Is there anything i`ve missed?
>
> Thanks
>
> Ralf
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list