ggroth at gregs-garage.com
Tue Jul 21 13:43:01 UTC 2015
On 2015-07-17 05:04, Raimund Sacherer wrote:
> Hello Greg,
> on a first glance I can't see anything really out of order, if it
> helps, I use(d) this pages to setup kerberos and apache auth:
> The account you create for the service principal has to be a user
> account, it does not work with a machine account.
> If you authenticate without the key tab, just a user from the ad
> (create a user and test a kinit user at EXAMPLE.COM, later klist). Check
> if a simple user authentication works in the first place.
> Hope that this will help you in any way,
Many thanks for replying.
I have to be doing something wrong with the ktpass command on the DC,
but for the life of me, I'm not sure what the issue is.
I created a user named aduser, and can obtain a ticket by using kinit
aduser at EXAMPLE.COM from the BSD server, but using kinit -k aduser or
kinit -t /etc/krb5.keytab aduser always returns "kinit:
krb5_get_init_creds: Already tried ENC-TS-info, looping"
This is what I've been trying on the DC to create a keytab file:
ktpass /princ HTTP/atbsd.example.com at EXAMPLE.COM /mapuser
aduser at EXAMPLE.COM /pass P@$$word /crypto RC4-HMAC-NT /ptype
RB5_NT_PRINCIPAL /out C:\temp\krb5.keytab
Once I run the command on the DC, the userPrincipalName for aduser gets
replaced with "HTTP/atbsd.example.com". Does the servicePrincipalName
need to be set to the same as well? I've tried it with the UPN sert,
the SPN set, and both the UPN & SPN set to "HTTP/atbsd.example.com", but
it doesn't seem to make a difference.
When I run ktutil list --keys on the BSD box, I get:
Vno Type Principal
32 arcfour-hmac-md5 HTTP/atbsd.example.com at EXAMPLE.COM
I thought I read somewhere that the DC is looking for a match on the
UPN, which appears to be identical. The only other troubleshooting I've
been able to do is to use a packet sniffer, and it appears that the DC
is waiting for a password which is never supplied?
I have not installed the krb5 port, and have been using whatever version
is installed in the base distro (heimdal?). I noted on the TechNet page
at MS that ktpass is based on the MIT version of Kerberos. Do I need
the krb5 port in place of whatever version is included in the base
distro to get this to work?
More information about the freebsd-questions