[31761] in Kerberos
RE: ktpass troubles
daemon@ATHENA.MIT.EDU (Vitaly Tskhovrebov)
Fri Dec 11 10:37:46 2009
From: Vitaly Tskhovrebov <Vitaly.Tskhovrebov@exigenservices.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Date: Fri, 11 Dec 2009 11:00:05 +0300
Message-ID: <B6C4EB6BB2F4654C835D1F7319E4E6742B7DBE4705@SPBEX03.internal.corp>
In-Reply-To: <4B214B77.1050808@anl.gov>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============0489204337=="
Errors-To: kerberos-bounces@mit.edu
--===============0489204337==
Content-Language: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_008B_01CA7A51.187D3980"
------=_NextPart_000_008B_01CA7A51.187D3980
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
It's work now. Dunno, what was wrong.
I just came to work on the morning.
--
Vitaly.
-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov]
Sent: Thursday, December 10, 2009 10:27 PM
To: Vitaly Tskhovrebov
Cc: kerberos@mit.edu
Subject: Re: ktpass troubles
Vitaly Tskhovrebov wrote:
> Hi.
>
>
>
> I'm trying to use krb authentication on linux box with apache.
>
>
>
> I've done the following on W2K3 PDC:
>
>
>
> ktpass -princ host/web.company.ru@COMPANY.RU -pass qwerty -mapuser
> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1
>
> Successfully mapped host/web.company.ru@COMPANY.RU to web_http.
>
> WARNING: pType and account type do not match. This might cause problems.
>
> Key created.
>
> Output keytab to host.keytab:
>
> Keytab version: 0x502
>
> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn
>
> o 1 etype 0x17 (RC4-HMAC) keylength 16
(0xeddf60686996d8ba2d81cfd15da42bd3)
>
>
>
> the same for
>
> ktpass -princ HTTP/web.company.ru@COMPANY.RU -pass qwerty -mapuser
> D\web_http -out http.keytab -kvno 1
>
>
You may have updated the msDS-keyVersionNumber in the DC.
Use ldap or some MS tool like ADSI-edit to look for this attribute
on the web_http account.
Also look at the userPrincipalName, ServicePrincipalName and
sAMAccountName attributes too.
>
> and then
>
> setspn.exe -A HTTP/web.company.ru web
Should this be web_http? Did it work?
You should also consider using two separate accounts and two separate
keytab files, one for host/... and oner for HTTP/... Each would
then have its own key.
>
>
>
> after that I made several steps on linux box making a keytab for apache,
and
> trying to test:
>
>
>
> ktutil: read_kt host.keytab
>
> ktutil: read_kt http.keytab
>
> ktutil: list
>
> slot KVNO Principal
>
> ---- ---- ------------------------------------
>
> 1 1 host/web.company.ru@COMPANY.RU
>
> 2 1 HTTP/web.company.ru@COMPANY.RU
>
> ktutil: write_kt apache.keytab
>
>
>
>
>
> kinit -t apache.keytab -k HTTP/web.company.ru@COMPANY.RU
>
> # IT'S OK!
>
>
>
> kinit -t apache.keytab -k host/web.company.ru@COMPANY.RU
>
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
>
>
> Ethereal told that krb5kdc_err_s_principal_unknown.
>
>
>
> Where I'm wrong?
>
>
>
> --
>
> Vitaly.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------=_NextPart_000_008B_01CA7A51.187D3980
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILGTCCBGUw
ggNNoAMCAQICEGB5NthtErSoRVdno32B4U8wDQYJKoZIhvcNAQEFBQAwPTEUMBIGCgmSJomT8ixk
ARkWBGNvcnAxGDAWBgoJkiaJk/IsZAEZFghpbnRlcm5hbDELMAkGA1UEAxMCY2EwIBcNMDgxMDEw
MTM1NDI3WhgPMjEwNzEwMTAxNDAzMTlaMD0xFDASBgoJkiaJk/IsZAEZFgRjb3JwMRgwFgYKCZIm
iZPyLGQBGRYIaW50ZXJuYWwxCzAJBgNVBAMTAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAtoLyXLwaKFmuS3+J7no94+mp1m5AqSbfrdype1uvDJgw/Nyi5PiMlZxgr+RAzFxqOinV
4YXU3mRVQ10BB45MPKaW0qPV7tN3XArHl9WuNERH/23uSq46Ct0f1jHFhjAwK5gJXi2GN/Q4zeJg
WCijFFQfH5asMz8/Vm4bNfz3iNFODAJRIuQGAm2rjMn+SEAuaJIC6nyWyVBLHONJQp0bYpP/OLu6
bwLTuf0nePIKtXCi/e5ZE7hcJ15BhnO4RKTo5lumFPdZeK4PQwGhjL5y5HnNnxGm7Zo1Umh+TO4p
7gRA0GIIOfB7hAUg/Hz5LbZPzbhX/O+POC3y64qIbMtYTwIDAQABo4IBXTCCAVkwEwYJKwYBBAGC
NxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKPenadd
CN0TWRoRhEx8pCM5VrcpMIHyBgNVHR8EgeowgecwgeSggeGggd6GgatsZGFwOi8vL0NOPWNhLENO
PXNwYmRjMDIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9aW50ZXJuYWwsREM9Y29ycD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M
aXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLmh0dHA6Ly9zcGJkYzAy
LmludGVybmFsLmNvcnAvQ2VydEVucm9sbC9jYS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZI
hvcNAQEFBQADggEBAB1jP5SjhE6+F3FAcxOprRqQiMD4WFyawb27zSjdgPc9Vr7W8/iMdSbg6h7d
hGwPkMt80ITwu1C6IPgiDU4P0Tu3NaGft6JhJiWzne2wPDiUa3B4e9tfTcHZvlR+MSAJxGq8Mq9L
yTqqjspkJbHKPzapAW+uTBtqOXz/UsqT0EOwdJDuW3r9nxJCV2WybF6EeLER5JiuSO48NUvsxgo6
o919rVTn38+LJsdnllcoKnQF65Sg+Xbdqn1CGUCrtAUc+sbVuqP6qN+pg0WkyVY5b+YRzXv2ZuR7
Gs9zUWmXv/ifsuW0p+ll7Fn3ul6fnufL8xv5gNvDrDw0z7U6FIQeI7UwggasMIIFlKADAgECAgpw
C7d3AAAAACXuMA0GCSqGSIb3DQEBBQUAMD0xFDASBgoJkiaJk/IsZAEZFgRjb3JwMRgwFgYKCZIm
iZPyLGQBGRYIaW50ZXJuYWwxCzAJBgNVBAMTAmNhMB4XDTA5MDIyNzIyMDYwN1oXDTEwMDIyNzIy
MDYwN1owgeIxFDASBgoJkiaJk/IsZAEZFgRjb3JwMRgwFgYKCZImiZPyLGQBGRYIaW50ZXJuYWwx
EDAOBgNVBAsTB0NvbXBhbnkxDDAKBgNVBAsTA0NJUzEOMAwGA1UECxMFU2l0ZXMxDDAKBgNVBAsT
A1NQQjEOMAwGA1UECxMFVXNlcnMxDzANBgNVBAsTBkNvbW1vbjEbMBkGA1UEAxMSVml0YWx5IFRz
a2hvdnJlYm92MTQwMgYJKoZIhvcNAQkBFiVWaXRhbHkuVHNraG92cmVib3ZAZXhpZ2Vuc2Vydmlj
ZXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8KTvycZZiM2Qjf0GaMd/p1Hd4hKvX
/tx5QXaP+vsTEpbohtwjMGl9xPVmbB7Jm80TLeTz0TCh11aKRXmZ7UVgnkOA2IJzR/4YAIwTNLi1
52lrRH9VDRPmGl+Z2QBWRBpdQcVDfm15Pjgz1+KxIAfBgeVIlgiDWIp9A9eEiDBLBwIDAQABo4ID
ijCCA4YwCwYDVR0PBAQDAgWgMDYGCSqGSIb3DQEJDwQpMCcwDQYIKoZIhvcNAwICATgwDQYIKoZI
hvcNAwQCATgwBwYFKw4DAgcwHQYDVR0OBBYEFB9RCgDlVQGpW123iylLjiqSoDinMEAGCSsGAQQB
gjcVBwQzMDEGKSsGAQQBgjcVCIa8kCaEl8hIgY2DIYaYrSSEycYcgXqDlPLKF4iuvYpDAgFkAgEG
MB8GA1UdIwQYMBaAFKPenaddCN0TWRoRhEx8pCM5VrcpMIHyBgNVHR8EgeowgecwgeSggeGggd6G
gatsZGFwOi8vL0NOPWNhLENOPXNwYmRjMDIsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZp
Y2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aW50ZXJuYWwsREM9Y29ycD9jZXJ0
aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9p
bnSGLmh0dHA6Ly9zcGJkYzAyLmludGVybmFsLmNvcnAvQ2VydEVucm9sbC9jYS5jcmwwggEIBggr
BgEFBQcBAQSB+zCB+DCBowYIKwYBBQUHMAKGgZZsZGFwOi8vL0NOPWNhLENOPUFJQSxDTj1QdWJs
aWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWludGVy
bmFsLERDPWNvcnA/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
dXRob3JpdHkwUAYIKwYBBQUHMAKGRGh0dHA6Ly9zcGJkYzAyLmludGVybmFsLmNvcnAvQ2VydEVu
cm9sbC9zcGJkYzAyLmludGVybmFsLmNvcnBfY2EuY3J0MCkGA1UdJQQiMCAGCCsGAQUFBwMCBggr
BgEFBQcDBAYKKwYBBAGCNwoDBDA1BgkrBgEEAYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUF
BwMEMAwGCisGAQQBgjcKAwQwWgYDVR0RBFMwUaAoBgorBgEEAYI3FAIDoBoMGFZUc2tob3ZyZWJv
dkBzdGFyLXN3LmNvbYElVml0YWx5LlRza2hvdnJlYm92QGV4aWdlbnNlcnZpY2VzLmNvbTANBgkq
hkiG9w0BAQUFAAOCAQEAH2l++udswXO2dXwR5CI/UKdpaadKACNFT515z3X4luIywi3WF7UeeQ1Z
rbXWQRxjyvdO9+0D4kOrpAo10deVEb04xsTGQ6k8ewZxqKm8D2UoFpdOAwC3OP9BvpzQpsZvqe4G
t4AFFsYm1a5mRh8Tz6OVpQAD1AYkPC5aDmvbiC9Jg6u4lfjox9KxYc49u8rW0eyObOf5TKcMCUdc
CIwGKWt9pBpIwKkne/8f6rGdZ7xiBLxP3L+hvOc30Js8I8tghxAuhVlh64wspCaDxebLlWLqHStO
jdHqWgMzrV4ZXndJorqTaaM7lAps9GZ/ZH1pavrJvnllKVBk0/tsJ1qz5zGCAnUwggJxAgEBMEsw
PTEUMBIGCgmSJomT8ixkARkWBGNvcnAxGDAWBgoJkiaJk/IsZAEZFghpbnRlcm5hbDELMAkGA1UE
AxMCY2ECCnALt3cAAAAAJe4wCQYFKw4DAhoFAKCCAYAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH
ATAcBgkqhkiG9w0BCQUxDxcNMDkxMjExMDgwMDA1WjAjBgkqhkiG9w0BCQQxFgQUknpzy9Mf5AG8
yJHPgyHtwOkZAFUwWgYJKwYBBAGCNxAEMU0wSzA9MRQwEgYKCZImiZPyLGQBGRYEY29ycDEYMBYG
CgmSJomT8ixkARkWCGludGVybmFsMQswCQYDVQQDEwJjYQIKcAu3dwAAAAAl7jBcBgsqhkiG9w0B
CRACCzFNoEswPTEUMBIGCgmSJomT8ixkARkWBGNvcnAxGDAWBgoJkiaJk/IsZAEZFghpbnRlcm5h
bDELMAkGA1UEAxMCY2ECCnALt3cAAAAAJe4wZwYJKoZIhvcNAQkPMVowWDAKBggqhkiG9w0DBzAO
BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYF
Kw4DAhowCgYIKoZIhvcNAgUwDQYJKoZIhvcNAQEBBQAEgYATd0xbhVrNzN2iKznUYfWYnMEmZcnK
eyY6cLRc1/noo8dnukbbZg/RYvSoQkh7w7y/jxYEO9bYB6kvLszSX6tbYs005zjJKhTCZP96deSm
PgbR2gIEzTeChiEuSBpswnleUM4EyeCfLYrLTGSbPxrNwZbXJvkigVXuCXVAOgeK4wAAAAAAAA==
------=_NextPart_000_008B_01CA7A51.187D3980--
--===============0489204337==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0489204337==--
