Issue with Kerberos setting in Sun Solaris 10

Ray Vand ray_vand at filemaker.com
Fri Apr 19 16:26:01 EDT 2013 

Hello,

I am new to Kerberos world and having issue with setting this up and need help and direction. 

I am trying to setup SSO in the following environment.

Domain: company.com
Short Domain: AD  (This how we login to User Client - AD\<Login Name>

AD domain server  -->  ads (Windows 2008 R2 )
SAP Server             -->  SAPSVR (Sun Solaris 10)
User Client              -->  Mac OS 10.8

I have created user in AD domain server as below

user: sapldap
Password: Changem3 (never expire)
Use DES encryption type for this account

Then I ran the following two command in AD Domain sever 

C:\Windows\system32>setspn -A sapldap/ads.company.com AD\sapldap
Registering ServicePrincipalNames for CN=sapldap,CN=Users,DC=company,DC=com
        sapldap/ads.company.com
Updated object

C:\Windows\system32>ktpass -princ sapldap/ads.company.com at COMPANY.COM -mapuser AD\sapldap -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass Changem3 -out sapldap.keytab
Targeting domain controller: ADS.company.com
Using legacy password setting method
Successfully mapped sapldap/ads.company.com to sapldap.
Key created.
Output keytab to sapldap.keytab:
Keytab version: 0x502
keysize 66 sapldap/ads.company.com at COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0x5785314ff4ada2b6)
Account sapldap has been set for DES-only encryption.

Then I moved the sapldap.keytab to my SAP Server in tmp directory

In my SAP Server, I ran the following commands

modify /etc/krb5.conf as below:

libdefaults]
        default_realm = COMPANY.COM
	default_keytab_name = /etc/krb5.keytab
	default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
	default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

[realms]
      COMPANY.COM = {
                kdc = ads.company.com:88
                admin_server = ads.company.com
		default.domain = COMPANY.COM
                kpasswd_server = ads.company.com
        }

[domain_realm]
	.company.com = COMPANY.COM
	company.com = COMPANY.COM

Then

# ktutil
ktutil: rkt /tmp/sapldap
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    7  sapldap/ads.company.com at COMPANY.COM (DES cvc mode with RSA-MD5)

ktutil: wkt /etc/krb5.keytab
ktutil: q

Here is where I am getting error/having issue when running next command.

# kinit -V -k sapldap/ads.company.com at COMPANY.COM

kinit(v5): Key table entry not found while getting initial credentials

but if I use it without -k option it working and It takes password

# kinit sapldap/ads.company.com at COMPANY.COM
Password for sapldap/ads.company.com at COMPANY.COM:

Then when I try klist

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sapldap/ads.company.com at COMPANY.COM

Valid starting                Expires                Service principal
04/19/13 10:01:53  04/19/13 20:01:53  krbtgt/COMPANY.COM at COMPANY.COM
	renew until 04/26/13 10:01:53

I appreciate any help.

Regards,
RayV

More information about the Kerberos mailing list