kerberos tickets and the SPNs
ravi channavajhala
authentication. I'm running into a little bit of issue with Kerberos
tickets. The setup is as follows
Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
(shipped with the distro) and IMU on windows. My LDAP client is working
good and validates getent passwd <user> and can run ldaplist -l passwd
<user> and ldapsearch, no issues. My ldap autnetication is set to simple,
with proxyDnuser.
On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files ldap'
for both passwd and group and dns files for hosts. On windows the IMU, UNIX
attributes are set to the correct NIS domain.
I ran net ads join to successfully join the Solaris server into the AD,
however net ads keytab create simply returns a new line without any errors.
When I checked on windows, after net ADS join command, I see two service
principals (SPN), the capitalization is intentional as this is how they
appear when I run spnset hostname
HOST/HOSTNAME
HOST/hostname.domain.com (FQDN)
I also setup a service account name (user object) on Windows whose name is
same as the hostname (computer object). I generated the keytab file with
ktpass -princ host/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
I then ftped this file over to Solaris host and try to authenticate a user
login via AD, I get
PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
database
So, just for the heck of it I generated another krb5.keytab with the
following
ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
-crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
Please note the HOST in capitals. Now, I get this error testing with this
keytab
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Running PAM in debug mode didn't reveal anything specific other than the
obvious.
I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
return properly. I can add the SPNs forcibly with host/hostname.domain.com
and host/hostname and try different combinations. But..first I need to
understand this behavior, anyone???
Douglas E. Engert
Kerberos treats them as case sensitive.
Normally Kerberos host/hostname@REALM has "host" in lower case.
So why is Samba net ADS join is using upper case is not clear.
If the net ads join adds the SPN in uppercase, then the ktpass
with lower case, it will work, as windows is case insensitive
and the SPN already exists.
You could try changing the SPN to lower case.
ravi channavajhala wrote:
> I'm setting up a Solaris 10 server as a test samba server with AD
> authentication. I'm running into a little bit of issue with Kerberos
> tickets. The setup is as follows
>
> Solaris-10, Windows AD-2003/R2, native Solaris (sparc) samba, Kerberos, LDAP
> (shipped with the distro) and IMU on windows. My LDAP client is working
> good and validates getent passwd <user> and can run ldaplist -l passwd
> <user> and ldapsearch, no issues. My ldap autnetication is set to simple,
> with proxyDnuser.
>
>
>
> On Solaris I'm very sure I setup the krb5.conf, smb.conf, pam.conf,
> nsswitch.conf, ntp.conf perfectly. The nsswitch is set to use 'files ldap'
> for both passwd and group and dns files for hosts. On windows the IMU, UNIX
> attributes are set to the correct NIS domain.
>
>
>
> I ran net ads join to successfully join the Solaris server into the AD,
> however net ads keytab create simply returns a new line without any errors.
> When I checked on windows, after net ADS join command, I see two service
> principals (SPN), the capitalization is intentional as this is how they
> appear when I run spnset hostname
>
>
>
> HOST/HOSTNAME
>
> HOST/hostname.domain.com (FQDN)
>
>
>
> I also setup a service account name (user object) on Windows whose name is
> same as the hostname (computer object). I generated the keytab file with
>
>
>
> ktpass -princ host/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
>
>
So you have two accounts with the same SPN? (differing by case only?)
Or did you remove the net ads join created entry first?
>
> I then ftped this file over to Solaris host and try to authenticate a user
> login via AD, I get
>
>
>
> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
> database
>
Could be the case issue. krb5 is looking for "host"
>
>
> So, just for the heck of it I generated another krb5.keytab with the
> following
>
>
>
> ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\SERVICEACCT$ -pass password
> -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -out c:\temp\krb5.keytab
>
>
>
> Please note the HOST in capitals. Now, I get this error testing with this
> keytab
>
>
>
> PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
>
>
>
> Running PAM in debug mode didn't reveal anything specific other than the
> obvious.
>
Wireshark could be used to see the network traffic between server and KDC.
This sounds like a case issue...
>
>
> I have my DNS setup correctly and the nslookup for DCs, GCs and LDAP servers
> return properly. I can add the SPNs forcibly with host/hostname.domain.com
> and host/hostname and try different combinations. But..first I need to
> understand this behavior, anyone???
>
>
>
>
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Markus Moeller
"Douglas E. Engert" <deen...@anl.gov> wrote in message
news:mailman.17.124163...@mit.edu...
> Windows treats principal names as case insensitive.
> Kerberos treats them as case sensitive.
>
> Normally Kerberos host/hostname@REALM has "host" in lower case.
> So why is Samba net ADS join is using upper case is not clear.
>
> If the net ads join adds the SPN in uppercase, then the ktpass
> with lower case, it will work, as windows is case insensitive
> and the SPN already exists.
>
> You could try changing the SPN to lower case.
>
You could add a copy to the keytab with ktutil which has an uppercase HOST
e.g.
# ktutil
ktutil: rkt /tmp/test.keytab
ktutil: l -k
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/opensuse11...@SUSE.HOME
(0xd962b1ecc18a809eb57c4a031193623a)
ktutil: addent -key -p HOST/opensuse11...@SUSE.HOME -k 3 -e rc4-hmac
Key for HOST/opensuse11...@SUSE.HOME (hex):
d962b1ecc18a809eb57c4a031193623a
ktutil: l -k
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 host/opensuse11...@SUSE.HOME
(0xd962b1ecc18a809eb57c4a031193623a)
2 3 HOST/opensuse11...@SUSE.HOME
(0xd962b1ecc18a809eb57c4a031193623a)
ktutil: wkt /tmp/new.keytab
ktutil: quit
Ravi Channavajhala
>
> Windows treats principal names as case insensitive.
> Kerberos treats them as case sensitive.
>
> Normally Kerberos host/hostname@REALM has "host" in lower case.
> So why is Samba net ADS join is using upper case is not clear.
Just to be sure, I did delete the computer object from AD and
re-creatd it from net ads, the SPNs appear again in the same way.
> If the net ads join adds the SPN in uppercase, then the ktpass
> with lower case, it will work, as windows is case insensitive
> and the SPN already exists.
>
> You could try changing the SPN to lower case.
I might as well add new SPNs with spnset -A option
>> HOST/HOSTNAME
>>
>> HOST/hostname.domain.com (FQDN)
>>
>
> So you have two accounts with the same SPN? (differing by case only?)
> Or did you remove the net ads join created entry first?
yeah but they are two different objects, one is a computer and the
other is a user. In the above case the two SPNs are for the computer
object only as indicated by the host. The SPN for user object appears
typically DOMAIN\USERNAME
>> I then ftped this file over to Solaris host and try to authenticate a user
>> login via AD, I get
>>
>> PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos
>> database
>>
>
> Could be the case issue. krb5 is looking for "host"
Looks like it, as I get different error messages depending on how I
specify the ktpass -princ with either host or HOST.
>> Running PAM in debug mode didn't reveal anything specific other than the
>> obvious.
>
> Wireshark could be used to see the network traffic between server and KDC.
> This sounds like a case issue...
It sure is, but my problem is how to avoid manual work in case if
future server base is being built and I have to do a monkey boy's job
of checking SPNs and adding/removing... there must be a way out of
this. I got oodles of ldap traffic captured with snoop, which I will
look further.
Luke Howard
Ravi Channavajhala
>
> You could add a copy to the keytab with ktutil which has an uppercase HOST
> e.g.
>
> �# ktutil
> ktutil: � rkt /tmp/test.keytab
> ktutil: �l -k
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> � 1 � �3 � � �host/opensuse11...@SUSE.HOME
> (0xd962b1ecc18a809eb57c4a031193623a)
> ktutil: �addent -key -p HOST/opensuse11...@SUSE.HOME -k 3 -e rc4-hmac
> Key for HOST/opensuse11...@SUSE.HOME (hex):
> d962b1ecc18a809eb57c4a031193623a
> ktutil: �l -k
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> � 1 � �3 � � �host/opensuse11...@SUSE.HOME
> (0xd962b1ecc18a809eb57c4a031193623a)
> � 2 � �3 � � �HOST/opensuse11...@SUSE.HOME
> (0xd962b1ecc18a809eb57c4a031193623a)
> ktutil: �wkt /tmp/new.keytab
> ktutil: quit
Interesting. This means, I need to have all the SPNs included in the
keytab? Do you see an inherent problem with deleting the existing
SPNs on windows KDC and adding only one SPN of the form host/fqdn and
generating the keytab?
Markus Moeller
"Ravi Channavajhala" <ravi.chan...@dciera.com> wrote in message
news:mailman.20.124166...@mit.edu...
The best would be to have one entry in AD with the host/fqdn syntax. If you
have clients requesting HOST/fqdn just use the above method to add a second
entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
way as it is case insensitive, so no need to add a second entry to AD.
Markus
Ravi Channavajhala
>> Interesting. �This means, I need to have all the SPNs included in the
>> keytab? �Do you see an inherent problem with deleting the existing
>> SPNs on windows KDC and adding only one SPN of the form host/fqdn and
>> generating the keytab?
>>
>
> The best would be to have one entry in AD with the host/fqdn syntax. If you
> have clients requesting HOST/fqdn just use the above method to add a second
> entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
> way as it is case insensitive, so no need to add a second entry to AD.
I deleted the computer object in AD, waited for the replication to
complete and then re-added the AD object. Now the SPN appears as
host/host.fqdn
Which is good. I ran the ktpass to generate the new keys for this
host using the SPN created with the correct realm. Now, when Solaris
is trying to authenticate a AD user, I still get the server not found
in kerberos database, modifying the keytab manually with ktutil on
solaris gives me PAM-KRB5 (auth) the key table entry not found. If it
is of any academic value, in the -mapuser switch I used is an ordinary
AD user (not even a service account) whose name is same as the
computer name. One is cn=users, the other cn=computers, so I dont
believe this could be the problem. For the kicks, I created another
user whose name is not the same as the host and tried...no luck. So
having distinct SPN, UPNs also didnt work.
As a last desperate measure, is there any elegant way to examine the
kerberos database to see if a sticky reference to the host principal
is lingering around and forcibly delete it? This is really getting a
bit vexing
Douglas E. Engert
Ravi Channavajhala wrote:
> On Fri, May 8, 2009 at 4:26 AM, Markus Moeller <hua...@moeller.plus.com> wrote:
>
>>> Interesting. This means, I need to have all the SPNs included in the
>>> keytab? Do you see an inherent problem with deleting the existing
>>> SPNs on windows KDC and adding only one SPN of the form host/fqdn and
>>> generating the keytab?
>>>
>> The best would be to have one entry in AD with the host/fqdn syntax. If you
>> have clients requesting HOST/fqdn just use the above method to add a second
>> entry with the same key. AD will handle HOST/fqdn and host/fqdn in the same
>> way as it is case insensitive, so no need to add a second entry to AD.
>
> I deleted the computer object in AD, waited for the replication to
> complete and then re-added the AD object. Now the SPN appears as
>
Note that the MS documentation says to add a "user" account, not a "computer"
account. (Sounds counterintuitive...)
http://technet.microsoft.com/en-us/library/bb742433.aspx
To configure the UNIX hosts
Use the Active Directory Management tool to create a new user account for the UNIX host:
Select the Users folder, right-click and select New, then choose user.
Type the name of the UNIX host.
(Last line is pick a unique name in the forest for the account, i.e. uses as
SamAccountName (without the $) so must be 19 characters. Use some convention,
like host-name-dept where is h short for host, name is the simple host name,
and dept. (We have department DNS domains, but the AD is is site wide.)
The ktpass then *ADDS* the SPN to the user account using the -principal option.
I am pretty sure if you create a "computer" account, the SPN gets added
during account creation, and that is why you are seeing the uppercase HOST.
> host/host.fqdn
>
> Which is good. I ran the ktpass to generate the new keys for this
> host using the SPN created with the correct realm. Now, when Solaris
> is trying to authenticate a AD user, I still get the server not found
> in kerberos database, modifying the keytab manually with ktutil on
> solaris gives me PAM-KRB5 (auth) the key table entry not found. If it
> is of any academic value, in the -mapuser switch I used is an ordinary
> AD user (not even a service account) whose name is same as the
> computer name.
The ktpass -mapuser user refers to the account created to hold the
principal, above not a real user.
One is cn=users, the other cn=computers, so I dont
It does not matter where it is located, but follow some convention,
lie create a cn=Unix and you can have Unix admins given rights to add
accounts to this subtree.
> believe this could be the problem. For the kicks, I created another
> user whose name is not the same as the host and tried...no luck. So
> having distinct SPN, UPNs also didnt work.
>
> As a last desperate measure, is there any elegant way to examine the
> kerberos database to see if a sticky reference to the host principal
> is lingering around and forcibly delete it? This is really getting a
> bit vexing
You could use ldapsearch and filter for "(serviceprincipalname=host/fqdn)"
or "(dnshostname=fqdn)"
Ravi Channavajhala
>> I deleted the computer object in AD, waited for the replication to
>> complete and then re-added the AD object. �Now the SPN appears as
>>
>
> Note that the MS documentation says to add a "user" account, not a
> "computer"
> account. (Sounds counterintuitive...)
>
> http://technet.microsoft.com/en-us/library/bb742433.aspx
>
> �To configure the UNIX hosts
>
> � Use the Active Directory Management tool to create a new user account for
> the UNIX host:
>
> � Select the Users folder, right-click and select New, then choose user.
>
> � Type the name of the UNIX host.
>
> (Last line is pick a unique name in the forest for the account, i.e. uses as
> SamAccountName (without the $) so must be 19 characters. Use some
> convention,
> like host-name-dept where is h short for host, name is the simple host name,
> and dept. (We have department DNS domains, but the AD is is site wide.)
>
> The ktpass then *ADDS* the SPN to the user account using the -principal
> option.
> I am pretty sure if you create a "computer" account, the SPN gets added
> during account creation, and that is why you are seeing the uppercase HOST.
This is obviously is not what happens when you use Solaris adjoin.sh
(adjoin-s10u5) or Samba's net ads join' command. Both of these
approaches create a computer object specifically. The interesting
behavior is adjoin.sh creates the computer object with one specific
SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with
all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
create one. Mind you, I'm using Sun natively packaged Samba. Where
as I can clearly see the UPN with adjoin.sh, the one I created with
net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The
adjoin literally uses ldapadd to add the host to computers
container....
Alright, I digress....back to Kerberos. I didnt get around the
problem. So I'm going to install a Linux server and see how I fare.
Douglas E. Engert
The point I was making, is that the Microsoft create computer account may
be adding the HOST/hostname for you assuming it is going to be a Windows
computer. So ktpass does not change the case of trhe SPN if its already
set.
> The interesting
> behavior is adjoin.sh creates the computer object with one specific
> SPN (host/host.fqdn), where as Samba creates (HOST/HOSTNAME and
> HOST/host.fqdn). Solaris adjoin generates /etc/krb5/krb5.keytab with
> all the known authentications such as DES-CBC-MD5, DES-CBC-CRC and
> RC4-HMAC-MD5, where as the samba net ads keytab create simply doesn't
> create one. Mind you, I'm using Sun natively packaged Samba. Where
> as I can clearly see the UPN with adjoin.sh, the one I created with
> net ads doesn't. Both of them show the SamAccount as HOSTNAME$. The
> adjoin literally uses ldapadd to add the host to computers
> container....
We use msktutil that uses OpenLDAP, to create the account (computer)
and msktutil then Kerberos to change the password, and LDAP to
set the SPN, and then creates/updates the keytab file. Sort of
what adjoin.sh would do.
>
> Alright, I digress....back to Kerberos. I didnt get around the
> problem. So I'm going to install a Linux server and see how I fare.
>
>
--
Ravi Channavajhala
>
>
> Ravi Channavajhala wrote:
>>
>> wrote:
>>> Note that the MS documentation says to add a "user" account, not a
>>> "computer"
>>> account. (Sounds counterintuitive...)
>>>
>>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>>>
>>> �ソスTo configure the UNIX hosts
>>>
>>> �ソスUse the Active Directory Management tool to create a new user account
>>> for
>>> the UNIX host:
>>>
>>> �ソスSelect the Users folder, right-click and select New, then choose user.
>>>
>>> �ソスType the name of the UNIX host.
>>>
>>> (Last line is pick a unique name in the forest for the account, i.e. uses
>>> as
>>> SamAccountName (without the $) so must be 19 characters. Use some
>>> convention,
>>> like host-name-dept where is h short for host, name is the simple host
>>> name,
>>> and dept. (We have department DNS domains, but the AD is is site wide.)
>>>
>>> The ktpass then *ADDS* the SPN to the user account using the -principal
>>> option.
>>> I am pretty sure if you create a "computer" account, the SPN gets added
>>> during account creation, and that is why you are seeing the uppercase
>>> HOST.
>>
>> This is obviously is not what happens when you use Solaris adjoin.sh
>> (adjoin-s10u5) or Samba's net ads join' command. �ソスBoth of these
>> approaches create a computer object specifically.
>
> The point I was making, is that the Microsoft create computer account may
> be adding the HOST/hostname for you assuming it is going to be a Windows
> computer. So ktpass does not change the case of trhe SPN if its already
> set.
Don't agree here. Natively adding a computer to AD and checking with
setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
creates two entries
HOST/HOSTNAME$
HOST/HOSTNAME$.SHORTFORM DOMAIN
Both are incorrect....
The point is, I can manipulate SPNs to no end, but obviously no
success with Kerberos. My real issue is kerberos flip flopping with
'Server not found in Database' to 'Keytable entry incorrect Key
version'.
Markus Moeller
I use also msktutil and you can find it here
http://dag.wieers.com/rpm/packages/msktutil/
You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.
BTW the original netjoin tool from MS used computer accounts not user
accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe
I don't know why they changed their mind.
Markus
Douglas E. Engert
Markus Moeller wrote:
>
> I use also msktutil and you can find it here
> http://dag.wieers.com/rpm/packages/msktutil/
That points to:
http://download.systemimager.org/~finley/msktutil/
and Finley is here at ANL.
We now have Debian mods to 0.3.16-7 to work with W2008, and use the
Windows attribute msDs-supportedEncryptionTypes so one can use AES.
Any one interested?
--
Brian Elliott Finley
http://download.systemimager.org/~finley/msktutil/
--
Brian Elliott Finley
Deputy Manager, Unix, Storage, and Operations
Computing and Information Systems
Argonne National Laboratory
Office: 630.252.4742
Mobile: 630.631.6621