2003 R2 AD servicePrincipalName issue

Gnädinger Ralf ralf.gnaedinger at joma-polytec.de
Wed Nov 9 03:54:13 EST 2011 

Hi Alon,

I`ve done everything you wrote below.
Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST or HTTP/jp-sys8 works, with jp-sys8.joma.de not)...

kvno HOST/jp-sys8
HOST/jp-sys8 at JOMA.DE: kvno = 2

Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either.

The servicePrincipalNames in our AD:

Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
    HTTP/jp-sys8.joma.de
    HTTP/jp-sys8
    HOST/jp-sys8.joma.de
    HOST/JP-SYS8

My krb5.keytab has the following entries:

Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
   2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
   2 host/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
   2 host/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
   2 host/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
   2 host/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
   2 JP-SYS8$@JOMA.DE (DES cbc mode with CRC-32)
   2 JP-SYS8$@JOMA.DE (DES cbc mode with RSA-MD5)
   2 JP-SYS8$@JOMA.DE (ArcFour with HMAC/md5)
   2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
   2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
   2 HTTP/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
   2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
   2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
   2 HTTP/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)

Of course the authentication via apache2 wouldn`t work, I think kinit should work first but I have no clue
what`s going wrong here :(

Thanks

Ralf

-----Ursprüngliche Nachricht-----
Von: Alon Bar-Lev [mailto:alon.barlev at gmail.com] 
Gesendet: Mittwoch, 9. November 2011 08:46
An: Gnädinger Ralf
Cc: kerberos at mit.edu
Betreff: Re: 2003 R2 AD servicePrincipalName issue

0. Delete everything you did from active directory Computer spn and everything.

1. Make sure active directory can resolve and reverse resolve your server.
ping server.xxx.com
ping -a ip.a.dd.res

2. Edit /etc/krb5.conf
---
[libdefaults]
        default_realm = XXX.COM
        forwardable = true

[realms]

[domain_realm]

[logging]
---

3. Install samba

4. Edit /etc/smb.conf
Modify:
        workgroup = XXX
        security = ads
        kerberos method = system keytab
        client use spnego = yes
        realm = XXX.COM
        local master = no

5. Run:
# net ads join -U Administrator
# net ads testjoin
# net ads keytab create -U Administrator # net ads keytab add HTTP -U Administrator

6. Allow apache access keytab
chgrp apache /etc/krb5.keytab
chmod g+r /etc/krb5.keytab

7. Configure mod_auth_kerb
---
        AuthName "Kerberos Login"
        AuthType Kerberos
        Krb5Keytab /etc/krb5.keytab
        KrbAuthRealm XXX.COM
---

Good luck!

2011/11/9 Gnädinger Ralf <ralf.gnaedinger at joma-polytec.de>
>
> Hi all,
>
> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.
>
> After I configured Kerberos on my linux box I am able to get a ticket using kinit username.
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: sysman at JOMA.DE
>
> Valid starting     Expires            Service principal
> 11/09/11 07:51:29  11/09/11 17:51:17  krbtgt/JOMA.DE at JOMA.DE
>        renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with 
> HMAC/md5, ArcFour with HMAC/md5
>
> Then I created a computer account and added the service principal 
> names like this in our AD
>
> #setspn -R jp-sys8
> #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8
>
> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
>    HOST/jp-sys8.joma.de
>    HOST/jp-sys8
>    HTTP/jp-sys8.joma.de
>
> Now when I use kvno on my linux box it is possible to get the version 
> like this
>
> # kvno HOST/jp-sys8
> HOST/jp-sys8 at JOMA.DE: kvno = 2
>
> but if I try HOST/jp-sys8.joma.de it`s not working...
>
> # kvno HOST/jp-sys8.joma.de
> kvno: Server not found in Kerberos database while getting credentials 
> for HOST/jp-sys8.joma.de at JOMA.DE
>
> When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.
>
> Is there anything i`ve missed?
>
> Thanks
>
> Ralf
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu 
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list