2003 R2 AD servicePrincipalName issue

Alon Bar-Lev alon.barlev at gmail.com
Wed Nov 9 04:21:39 EST 2011


If 'net ads testjoin' works, there is no reason other stuff won't...

Try:
# kdestroy
# kinit -kt /etc/krb5.keytab -S HTTP/jp-sys8.joma.de at JOMA.DE 'JP-SYS8$'
# klist

Are you sure you trying to access the server using fqn dns?
How do you test this? Did you try a simple IE in intranet zone?

2011/11/9 Gnädinger Ralf <ralf.gnaedinger at joma-polytec.de>:
> Hi Alon,
>
> I`ve done everything you wrote below.
> Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST or HTTP/jp-sys8 works, with jp-sys8.joma.de not)...
>
> kvno HOST/jp-sys8
> HOST/jp-sys8 at JOMA.DE: kvno = 2
>
> Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either.
>
> The servicePrincipalNames in our AD:
>
> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
>    HTTP/jp-sys8.joma.de
>    HTTP/jp-sys8
>    HOST/jp-sys8.joma.de
>    HOST/JP-SYS8
>
> My krb5.keytab has the following entries:
>
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>   2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
>   2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
>   2 host/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
>   2 host/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
>   2 host/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
>   2 host/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
>   2 JP-SYS8$@JOMA.DE (DES cbc mode with CRC-32)
>   2 JP-SYS8$@JOMA.DE (DES cbc mode with RSA-MD5)
>   2 JP-SYS8$@JOMA.DE (ArcFour with HMAC/md5)
>   2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
>   2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
>   2 HTTP/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
>   2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
>   2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
>   2 HTTP/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
>
> Of course the authentication via apache2 wouldn`t work, I think kinit should work first but I have no clue
> what`s going wrong here :(
>
> Thanks
>
> Ralf
>
> -----Ursprüngliche Nachricht-----
> Von: Alon Bar-Lev [mailto:alon.barlev at gmail.com]
> Gesendet: Mittwoch, 9. November 2011 08:46
> An: Gnädinger Ralf
> Cc: kerberos at mit.edu
> Betreff: Re: 2003 R2 AD servicePrincipalName issue
>
> 0. Delete everything you did from active directory Computer spn and everything.
>
> 1. Make sure active directory can resolve and reverse resolve your server.
> ping server.xxx.com
> ping -a ip.a.dd.res
>
> 2. Edit /etc/krb5.conf
> ---
> [libdefaults]
>        default_realm = XXX.COM
>        forwardable = true
>
> [realms]
>
> [domain_realm]
>
> [logging]
> ---
>
> 3. Install samba
>
> 4. Edit /etc/smb.conf
> Modify:
>        workgroup = XXX
>        security = ads
>        kerberos method = system keytab
>        client use spnego = yes
>        realm = XXX.COM
>        local master = no
>
> 5. Run:
> # net ads join -U Administrator
> # net ads testjoin
> # net ads keytab create -U Administrator # net ads keytab add HTTP -U Administrator
>
> 6. Allow apache access keytab
> chgrp apache /etc/krb5.keytab
> chmod g+r /etc/krb5.keytab
>
> 7. Configure mod_auth_kerb
> ---
>        AuthName "Kerberos Login"
>        AuthType Kerberos
>        Krb5Keytab /etc/krb5.keytab
>        KrbAuthRealm XXX.COM
> ---
>
> Good luck!
>
> 2011/11/9 Gnädinger Ralf <ralf.gnaedinger at joma-polytec.de>
>>
>> Hi all,
>>
>> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.
>>
>> After I configured Kerberos on my linux box I am able to get a ticket using kinit username.
>>
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: sysman at JOMA.DE
>>
>> Valid starting     Expires            Service principal
>> 11/09/11 07:51:29  11/09/11 17:51:17  krbtgt/JOMA.DE at JOMA.DE
>>        renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with
>> HMAC/md5, ArcFour with HMAC/md5
>>
>> Then I created a computer account and added the service principal
>> names like this in our AD
>>
>> #setspn -R jp-sys8
>> #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8
>>
>> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
>>    HOST/jp-sys8.joma.de
>>    HOST/jp-sys8
>>    HTTP/jp-sys8.joma.de
>>
>> Now when I use kvno on my linux box it is possible to get the version
>> like this
>>
>> # kvno HOST/jp-sys8
>> HOST/jp-sys8 at JOMA.DE: kvno = 2
>>
>> but if I try HOST/jp-sys8.joma.de it`s not working...
>>
>> # kvno HOST/jp-sys8.joma.de
>> kvno: Server not found in Kerberos database while getting credentials
>> for HOST/jp-sys8.joma.de at JOMA.DE
>>
>> When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.
>>
>> Is there anything i`ve missed?
>>
>> Thanks
>>
>> Ralf
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>




More information about the Kerberos mailing list