2003 R2 AD servicePrincipalName issue
Gnädinger Ralf
ralf.gnaedinger at joma-polytec.de
Wed Nov 9 03:54:13 EST 2011
Hi Alon,
I`ve done everything you wrote below.
Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST or HTTP/jp-sys8 works, with jp-sys8.joma.de not)...
kvno HOST/jp-sys8
HOST/jp-sys8 at JOMA.DE: kvno = 2
Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either.
The servicePrincipalNames in our AD:
Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
HTTP/jp-sys8.joma.de
HTTP/jp-sys8
HOST/jp-sys8.joma.de
HOST/JP-SYS8
My krb5.keytab has the following entries:
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
2 host/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
2 host/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
2 host/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
2 host/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
2 JP-SYS8$@JOMA.DE (DES cbc mode with CRC-32)
2 JP-SYS8$@JOMA.DE (DES cbc mode with RSA-MD5)
2 JP-SYS8$@JOMA.DE (ArcFour with HMAC/md5)
2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
2 HTTP/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
2 HTTP/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
Of course the authentication via apache2 wouldn`t work, I think kinit should work first but I have no clue
what`s going wrong here :(
Thanks
Ralf
-----Ursprüngliche Nachricht-----
Von: Alon Bar-Lev [mailto:alon.barlev at gmail.com]
Gesendet: Mittwoch, 9. November 2011 08:46
An: Gnädinger Ralf
Cc: kerberos at mit.edu
Betreff: Re: 2003 R2 AD servicePrincipalName issue
0. Delete everything you did from active directory Computer spn and everything.
1. Make sure active directory can resolve and reverse resolve your server.
ping server.xxx.com
ping -a ip.a.dd.res
2. Edit /etc/krb5.conf
---
[libdefaults]
default_realm = XXX.COM
forwardable = true
[realms]
[domain_realm]
[logging]
---
3. Install samba
4. Edit /etc/smb.conf
Modify:
workgroup = XXX
security = ads
kerberos method = system keytab
client use spnego = yes
realm = XXX.COM
local master = no
5. Run:
# net ads join -U Administrator
# net ads testjoin
# net ads keytab create -U Administrator # net ads keytab add HTTP -U Administrator
6. Allow apache access keytab
chgrp apache /etc/krb5.keytab
chmod g+r /etc/krb5.keytab
7. Configure mod_auth_kerb
---
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /etc/krb5.keytab
KrbAuthRealm XXX.COM
---
Good luck!
2011/11/9 Gnädinger Ralf <ralf.gnaedinger at joma-polytec.de>
>
> Hi all,
>
> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.
>
> After I configured Kerberos on my linux box I am able to get a ticket using kinit username.
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: sysman at JOMA.DE
>
> Valid starting Expires Service principal
> 11/09/11 07:51:29 11/09/11 17:51:17 krbtgt/JOMA.DE at JOMA.DE
> renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
>
> Then I created a computer account and added the service principal
> names like this in our AD
>
> #setspn -R jp-sys8
> #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8
>
> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
> HOST/jp-sys8.joma.de
> HOST/jp-sys8
> HTTP/jp-sys8.joma.de
>
> Now when I use kvno on my linux box it is possible to get the version
> like this
>
> # kvno HOST/jp-sys8
> HOST/jp-sys8 at JOMA.DE: kvno = 2
>
> but if I try HOST/jp-sys8.joma.de it`s not working...
>
> # kvno HOST/jp-sys8.joma.de
> kvno: Server not found in Kerberos database while getting credentials
> for HOST/jp-sys8.joma.de at JOMA.DE
>
> When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.
>
> Is there anything i`ve missed?
>
> Thanks
>
> Ralf
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list