ggroth at gregs-garage.com
Thu Jul 23 17:59:25 UTC 2015
On 2015-07-21 08:42, Greg Groth wrote:
> On 2015-07-17 05:04, Raimund Sacherer wrote:
>> Hello Greg,
>> on a first glance I can't see anything really out of order, if it
>> helps, I use(d) this pages to setup kerberos and apache auth:
>> The account you create for the service principal has to be a user
>> account, it does not work with a machine account.
>> If you authenticate without the key tab, just a user from the ad
>> (create a user and test a kinit user at EXAMPLE.COM, later klist). Check
>> if a simple user authentication works in the first place.
>> Hope that this will help you in any way,
> Many thanks for replying.
> I have to be doing something wrong with the ktpass command on the DC,
> but for the life of me, I'm not sure what the issue is.
> I created a user named aduser, and can obtain a ticket by using kinit
> aduser at EXAMPLE.COM from the BSD server, but using kinit -k aduser or
> kinit -t /etc/krb5.keytab aduser always returns "kinit:
> krb5_get_init_creds: Already tried ENC-TS-info, looping"
> This is what I've been trying on the DC to create a keytab file:
> ktpass /princ HTTP/atbsd.example.com at EXAMPLE.COM /mapuser
> aduser at EXAMPLE.COM /pass P@$$word /crypto RC4-HMAC-NT /ptype
> RB5_NT_PRINCIPAL /out C:\temp\krb5.keytab
> Once I run the command on the DC, the userPrincipalName for aduser
> gets replaced with "HTTP/atbsd.example.com". Does the
> servicePrincipalName need to be set to the same as well? I've tried
> it with the UPN sert, the SPN set, and both the UPN & SPN set to
> "HTTP/atbsd.example.com", but it doesn't seem to make a difference.
> When I run ktutil list --keys on the BSD box, I get:
> Vno Type Principal
> Key Aliases
> 32 arcfour-hmac-md5 HTTP/atbsd.example.com at EXAMPLE.COM
> I thought I read somewhere that the DC is looking for a match on the
> UPN, which appears to be identical. The only other troubleshooting
> I've been able to do is to use a packet sniffer, and it appears that
> the DC is waiting for a password which is never supplied?
> I have not installed the krb5 port, and have been using whatever
> version is installed in the base distro (heimdal?). I noted on the
> TechNet page at MS that ktpass is based on the MIT version of
> Kerberos. Do I need the krb5 port in place of whatever version is
> included in the base distro to get this to work?
> Best regards,
> Greg Groth
Making progress. Installed the MIT Kerberos port, which has better
error reporting back to stdout (IMHO) that helped me track down the
Apparently running "kinit -k" defaults the service in the principal
name of the request to "host". I had created my keytab for a service of
"HTTP", which was why "kinit -k" was failing, where "kinit -k
HTTP/atbsd.example.com" worked like a charm.
I then went back and recreated the keytab on the windows box using
"/princ host/atbsd.example.com at EXAMPLE.COM" the resultant keytab, once
installed, would work with just "kinit -k".
I'm sure these differentiations are noted in the documentation that has
been provided, but somewhere I must have assumed that kinit was reading
the service of the principal name in the keytab file, and creating a
request based on the values provided.
Many thanks again to all who gave their assistance.
More information about the freebsd-questions