Greg Groth ggroth at
Tue Jul 21 13:43:01 UTC 2015

On 2015-07-17 05:04, Raimund Sacherer wrote:
> Hello Greg,
> on a first glance I can't see anything really out of order, if it
> helps, I use(d) this pages to setup kerberos and apache auth:
> The account you create for the service principal has to be a user
> account, it does not work with a machine account.
> If you authenticate without the key tab, just a user from the ad
> (create a user and test a kinit user at EXAMPLE.COM, later klist). Check
> if a simple user authentication works in the first place.
> Hope that this will help you in any way,
> Best
> Ray

Many thanks for replying.

I have to be doing something wrong with the ktpass command on the DC, 
but for the life of me, I'm not sure what the issue is.

I created a user named aduser, and can obtain a ticket by using kinit 
aduser at EXAMPLE.COM from the BSD server, but using kinit -k aduser or 
kinit -t /etc/krb5.keytab aduser always returns "kinit: 
krb5_get_init_creds: Already tried ENC-TS-info, looping"

This is what I've been trying on the DC to create a keytab file:

ktpass /princ HTTP/ at EXAMPLE.COM /mapuser 
aduser at EXAMPLE.COM /pass P@$$word /crypto RC4-HMAC-NT /ptype 
RB5_NT_PRINCIPAL /out C:\temp\krb5.keytab

Once I run the command on the DC, the userPrincipalName for aduser gets 
replaced with "HTTP/".  Does the servicePrincipalName 
need to be set to the same as well?  I've tried it with the UPN sert, 
the SPN set, and both the UPN & SPN set to "HTTP/", but 
it doesn't seem to make a difference.

When I run ktutil list --keys on the BSD box, I get:
Vno  Type              Principal                                       
Key                               Aliases
  32  arcfour-hmac-md5  HTTP/ at EXAMPLE.COM  

I thought I read somewhere that the DC is looking for a match on the 
UPN, which appears to be identical.  The only other troubleshooting I've 
been able to do is to use a packet sniffer, and it appears that the DC 
is waiting for a password which is never supplied?

I have not installed the krb5 port, and have been using whatever version 
is installed in the base distro (heimdal?).  I noted on the TechNet page 
at MS that ktpass is based on the MIT version of Kerberos.  Do I need 
the krb5 port in place of whatever version is included in the base 
distro to get this to work?

Best regards,

Greg Groth

More information about the freebsd-questions mailing list