2003 R2 AD servicePrincipalName issue

Douglas E. Engert deengert at anl.gov
Wed Nov 9 10:22:07 EST 2011 


On 11/9/2011 2:54 AM, Gnädinger Ralf wrote:
> Hi Alon,
>
> I`ve done everything you wrote below.
> Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST or HTTP/jp-sys8 works, with jp-sys8.joma.de not)...
>
> kvno HOST/jp-sys8
> HOST/jp-sys8 at JOMA.DE: kvno = 2
>
> Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either.

Good to see that in a later  note you say you have it working, but
here are some other pitfalls in this process:

First of all, Kerberos principal names are case sensitive, but Windows
is case-insensitive. The principal, "HOST" service should be lower
case "host". "HTTP" service should be upper case "HTTP" So avoid any
case issues if at all possible. Some version of Windows will try an
preserve the case that the client used, others will not.

kinit is requesting a ticket for a user principal, and AD
will look for the userPrincipalName attribute, not the
servicePrincipalName. So check that the UPN
for the account is host/jp-sys8.joma.de at JOMA.DE

(FYI: If the userPrincipalName can not be found, AD can also look
for a principal looking at sAMAccountName at DOMAIN.

You also did not say if the kinit was using a password,
or the keytab.

To really see what is going on, a network trace with Wireshark
would show a lot. Wireshark is able to format the unencrypted parts
of the Kerberos packets.

I assume you are using the ktpass.exe to create the keytab?
With 2003, there was more then one version, and some hot fixes
to ktpass, check that you have the latest.

Also note that the AD account has only one password, and keys
are generated when needed from the password, where as with a
Kerberos keytab, each entry has its own key. So if you change
the password in AD you have to update all the keytab entries
to match.

If as root you run klist -k -K /etc/krb5.keytab
it will show the keys. All the DES keys should be the same,
and all the ArcFour keys should be the same since they
are all generated from the same password on the same account.


>
> The servicePrincipalNames in our AD:
>
> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
>      HTTP/jp-sys8.joma.de
>      HTTP/jp-sys8
>      HOST/jp-sys8.joma.de
>      HOST/JP-SYS8
>
> My krb5.keytab has the following entries:
>
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
>     2 host/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
>     2 host/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
>     2 host/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
>     2 host/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
>     2 host/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
>     2 JP-SYS8$@JOMA.DE (DES cbc mode with CRC-32)
>     2 JP-SYS8$@JOMA.DE (DES cbc mode with RSA-MD5)
>     2 JP-SYS8$@JOMA.DE (ArcFour with HMAC/md5)
>     2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with CRC-32)
>     2 HTTP/jp-sys8.joma.de at JOMA.DE (DES cbc mode with RSA-MD5)
>     2 HTTP/jp-sys8.joma.de at JOMA.DE (ArcFour with HMAC/md5)
>     2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with CRC-32)
>     2 HTTP/jp-sys8 at JOMA.DE (DES cbc mode with RSA-MD5)
>     2 HTTP/jp-sys8 at JOMA.DE (ArcFour with HMAC/md5)
>
> Of course the authentication via apache2 wouldn`t work, I think kinit should work first but I have no clue
> what`s going wrong here :(
>
> Thanks
>
> Ralf
>
> -----Ursprüngliche Nachricht-----
> Von: Alon Bar-Lev [mailto:alon.barlev at gmail.com]
> Gesendet: Mittwoch, 9. November 2011 08:46
> An: Gnädinger Ralf
> Cc: kerberos at mit.edu
> Betreff: Re: 2003 R2 AD servicePrincipalName issue
>
> 0. Delete everything you did from active directory Computer spn and everything.
>
> 1. Make sure active directory can resolve and reverse resolve your server.
> ping server.xxx.com
> ping -a ip.a.dd.res
>
> 2. Edit /etc/krb5.conf
> ---
> [libdefaults]
>          default_realm = XXX.COM
>          forwardable = true
>
> [realms]
>
> [domain_realm]
>
> [logging]
> ---
>
> 3. Install samba
>
> 4. Edit /etc/smb.conf
> Modify:
>          workgroup = XXX
>          security = ads
>          kerberos method = system keytab
>          client use spnego = yes
>          realm = XXX.COM
>          local master = no
>
> 5. Run:
> # net ads join -U Administrator
> # net ads testjoin
> # net ads keytab create -U Administrator # net ads keytab add HTTP -U Administrator
>
> 6. Allow apache access keytab
> chgrp apache /etc/krb5.keytab
> chmod g+r /etc/krb5.keytab
>
> 7. Configure mod_auth_kerb
> ---
>          AuthName "Kerberos Login"
>          AuthType Kerberos
>          Krb5Keytab /etc/krb5.keytab
>          KrbAuthRealm XXX.COM
> ---
>
> Good luck!
>
> 2011/11/9 Gnädinger Ralf<ralf.gnaedinger at joma-polytec.de>
>>
>> Hi all,
>>
>> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box with our company 2003 R2 active directory service.
>>
>> After I configured Kerberos on my linux box I am able to get a ticket using kinit username.
>>
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: sysman at JOMA.DE
>>
>> Valid starting     Expires            Service principal
>> 11/09/11 07:51:29  11/09/11 17:51:17  krbtgt/JOMA.DE at JOMA.DE
>>         renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with
>> HMAC/md5, ArcFour with HMAC/md5
>>
>> Then I created a computer account and added the service principal
>> names like this in our AD
>>
>> #setspn -R jp-sys8
>> #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8
>>
>> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de:
>>     HOST/jp-sys8.joma.de
>>     HOST/jp-sys8
>>     HTTP/jp-sys8.joma.de
>>
>> Now when I use kvno on my linux box it is possible to get the version
>> like this
>>
>> # kvno HOST/jp-sys8
>> HOST/jp-sys8 at JOMA.DE: kvno = 2
>>
>> but if I try HOST/jp-sys8.joma.de it`s not working...
>>
>> # kvno HOST/jp-sys8.joma.de
>> kvno: Server not found in Kerberos database while getting credentials
>> for HOST/jp-sys8.joma.de at JOMA.DE
>>
>> When I am adding HTTP/jp-sys8 as service principal it is the same HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t.
>>
>> Is there anything i`ve missed?
>>
>> Thanks
>>
>> Ralf
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list