Greg Groth ggroth at
Fri Jul 17 00:45:19 UTC 2015

On 2015-07-16 02:12, Raimund Sacherer wrote:
> Hello Greg,
>> C:\Windows\system32>ktpass -princ 
>> HTTP/ad01.example.local at EXAMPLE.LOCAL
>> -mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out
>> :\temp\krb5.keytab
> For what its worth, we have a couple of servers authenticating against
> an 2012 domain and we create the key tab file like this:
> setspn -A HTTP/ windowsusername
> ktpass -out -princ HTTP/ at EXAMPLE.LOCAL
> -mapUser windowsuser -mapOp set -pass password -crypto RC4-HMAC-NT
> At times we have instead of RC4-HMAC-NT set ALL.
> Hope this helps,
> best

  Many, many thanks for answering.  I tried the following from the 
commandline on the 2012 DC as Admin:

C:\setspn -A HTTP/ad01.example.local aduser
Checking domain DC=example,DC=local

   Registering ServicePrincipalNames for 
Updated object

   C:\ktpass -out C:\temp\krb5.keytab -princ 
HTTP/aduser.example.local at EXAMPLE.LOCAL -mapUser aduser -mapOp set -pass 
P@$$word -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Targeting domain controller: AD01.example.local
Using legacy password setting method
Successfully mapped HTTP/aduser.example.local to aduser.
Key created.
Output keytab to C:\temp\krb5.keytab:
Keytab version: 0x502
   keysize 80 HTTP/aduser.example.local at EXAMPLE.LOCAL ptype 1 
(KRB5_NT_PRINCIPAL) vno 29 etype 0x17 (RC4-HMAC) keylength 16 

   Copied the keytab to the /etc on the FreeBSD box (chown root:wheel / 
chmod600) and tried the following as root:

root at BSD01:/ # kinit -k aduser
kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping

("root at BSD01:/ # kinit -t /etc/krb5.keytab aduser" returns the same)

if I try a bogus user:

root at BSD01:/ # kinit -k bogususer
kinit: krb5_get_init_creds: Client (bogususer at EXAMPLE.LOCAL) unknown

   It looks like it's communicating, and locating the user correctly, but 
something is going awry with the authentication?  I've reset the 
password on the AD multiple times, and have verified I can log onto a 
workstation located in the "EXAMPLE" domain with the "aduser" 
credentials.  Are there perhaps other permissions that need to be 
assigned on the DC to "aduser" in order to get this to work?

Best regards,

Greg Groth

More information about the freebsd-questions mailing list