ktpass troubles
Douglas E. Engert
deengert at anl.gov
Thu Dec 10 14:26:47 EST 2009
Vitaly Tskhovrebov wrote:
> Hi.
> I'm trying to use krb authentication on linux box with apache.
> I've done the following on W2K3 PDC:
> ktpass -princ host/web.company.ru at COMPANY.RU -pass qwerty -mapuser
> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
> Successfully mapped host/web.company.ru at COMPANY.RU to web_http.
> WARNING: pType and account type do not match. This might cause problems.
> Key created.
> Output keytab to host.keytab:
> Keytab version: 0x502
> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
> o 1 etype 0x17 (RC4-HMAC) keylength 16 (0xeddf60686996d8ba2d81cfd15da42bd3)
> the same for
> ktpass -princ HTTP/web.company.ru at COMPANY.RU -pass qwerty -mapuser
> D\web_http -out http.keytab -kvno 1
You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.
> and then
> setspn.exe -A HTTP/web.company.ru web
Should this be web_http? Did it work?
You should also consider using two separate accounts and two separate
keytab files, one for host/... and oner for HTTP/... Each would
then have its own key.
> after that I made several steps on linux box making a keytab for apache, and
> trying to test:
> ktutil: read_kt host.keytab
> ktutil: read_kt http.keytab
> ktutil: list
> slot KVNO Principal
> ---- ---- ------------------------------------
> 1 1 host/web.company.ru at COMPANY.RU
> 2 1 HTTP/web.company.ru at COMPANY.RU
> ktutil: write_kt apache.keytab
> kinit -t apache.keytab -k HTTP/web.company.ru at COMPANY.RU
> # IT'S OK!
> kinit -t apache.keytab -k host/web.company.ru at COMPANY.RU
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
> Ethereal told that krb5kdc_err_s_principal_unknown.
> Where I'm wrong?
> --
> Vitaly.
> ------------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman-mit-edu.ezproxyberklee.flo.org/mailman/listinfo/kerberos
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list