Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: ktpass troubles

356 views
Skip to first unread message

Douglas E. Engert

unread,
Dec 10, 2009, 2:26:47 PM12/10/09
to Vitaly Tskhovrebov, kerb...@mit.edu

Vitaly Tskhovrebov wrote:
> Hi.
>
>
>
> I'm trying to use krb authentication on linux box with apache.
>
>
>
> I've done the following on W2K3 PDC:
>
>
>
> ktpass -princ host/web.com...@COMPANY.RU -pass qwerty -mapuser
> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>
> Successfully mapped host/web.com...@COMPANY.RU to web_http.
>
> WARNING: pType and account type do not match. This might cause problems.
>
> Key created.
>
> Output keytab to host.keytab:
>
> Keytab version: 0x502
>
> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>
> o 1 etype 0x17 (RC4-HMAC) keylength 16 (0xeddf60686996d8ba2d81cfd15da42bd3)
>
>
>
> the same for
>
> ktpass -princ HTTP/web.com...@COMPANY.RU -pass qwerty -mapuser
> D\web_http -out http.keytab -kvno 1
>
>

You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.

>
> and then
>
> setspn.exe -A HTTP/web.company.ru web

Should this be web_http? Did it work?

You should also consider using two separate accounts and two separate
keytab files, one for host/... and oner for HTTP/... Each would
then have its own key.


>
>
>
> after that I made several steps on linux box making a keytab for apache, and
> trying to test:
>
>
>
> ktutil: read_kt host.keytab
>
> ktutil: read_kt http.keytab
>
> ktutil: list
>
> slot KVNO Principal
>
> ---- ---- ------------------------------------
>
> 1 1 host/web.com...@COMPANY.RU
>
> 2 1 HTTP/web.com...@COMPANY.RU
>
> ktutil: write_kt apache.keytab
>
>
>
>
>
> kinit -t apache.keytab -k HTTP/web.com...@COMPANY.RU
>
> # IT'S OK!
>
>
>
> kinit -t apache.keytab -k host/web.com...@COMPANY.RU
>
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
>
> Ethereal told that krb5kdc_err_s_principal_unknown.
>
>
>
> Where I'm wrong?
>
>
>
> --
>
> Vitaly.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

Douglas E. Engert

unread,
Dec 11, 2009, 9:57:56 AM12/11/09
to Vitaly Tskhovrebov, kerb...@mit.edu

Vitaly Tskhovrebov wrote:
> It's work now. Dunno, what was wrong.
> I just came to work on the morning.


AD takes its time replicating the entries, that could
be the issue. As you might be looking at different DCs
that have not been updated. So when you are updating,
computer accounts and using ktpass you may have to wait a bit.

We don't use ktpass but msktutil instead:

http://download.systemimager.org/~finley/msktutil/

(If you use this, If the service name is not lowercase,
use the --computer-name option rather then letting it
derive the name.)


>
> --
> Vitaly.

Douglas E. Engert

unread,
Dec 11, 2009, 10:22:09 AM12/11/09
to Vitaly Tskhovrebov, kerb...@mit.edu

Vitaly Tskhovrebov wrote:
> It's funny, but when the "host" test was done, the "HTTP" was broken. It's a
> kind of street magic...
>

You can still use ktpass, but its much cleaner to use one principal
per account. They will each have separate key, and in separate
keytabs. You can still combine the the two keytabs with ktutil.
Your issues where with trying to have both a "HTTP" and "host" SPN
on the same account.

> There was no replication issue, 'cause I made commands on the target DC.
> I'll try next week this tool, thanks!
>
> --
> Vitaly.


>
> We don't use ktpass but msktutil instead:
>
> http://download.systemimager.org/~finley/msktutil/
>
> (If you use this, If the service name is not lowercase,
> use the --computer-name option rather then letting it
> derive the name.)

--

Douglas E. Engert <DEEn...@anl.gov>

Vitaly Tskhovrebov

unread,
Dec 11, 2009, 1:35:25 AM12/11/09
to Douglas E. Engert, kerb...@mit.edu
msDS-keyVersionNumber = 5
userPrincipalName = host/web.com...@COMPANY.RU
ServicePrincipalName = HTTP/web.company.ru
sAMAccountName = web_http

> You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.

--
Vitaly.


0 new messages