[32385] in Kerberos
Re: Loading host service principal from /etc/krb5.keytab?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Tue May 25 10:37:35 2010
Message-ID: <4BFBE0A6.7020001@anl.gov>
Date: Tue, 25 May 2010 09:37:26 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Lars Kellogg-Stedman <lars@oddbit.com>
In-Reply-To: <AANLkTili-s7ob_-cb7MCUww61Y1LreOp8-J_6Ag0F5WL@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Lars Kellogg-Stedman wrote:
> Hello all,
>
> Should it be possible to load the host service principal from
> /etc/krb5.keytab for the purpose of authenticating against an Active
> Directory server? That is, should I expect this to work?
>
> kinit -k host/buildmaster.example.com@EXAMPLE.COM
AD will look for an account where the principal matches the
userPrincipalName attribute, or where the principal will match
samAccountName@DOMAIN
I suspect that in your case the userPrincipalName (if any) is
host/buildmaster@EXAMPLE.COM and the sAMAccountName is BUILDMASTER$
so kinit -k host/buildmaster@EXAMPLE.COM may work
and kinit -k BUILDMASTER$@EXAMPLE.COM
should work.
For machine that is not Windows you could change the userPrincipalName
attribute on the account to host/buildmaster.example.com@EXAMPLE.COM
>
> I invariably receive the following error message:
>
> kinit(v5): Client not found in Kerberos database while getting
> initial credentials
>
> Everything else seems to be working fine (I can kinit as a user, and
> those credentials are accepted for access to the server). The
> specified principal is listed by 'klist -k':
>
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 2 host/buildmaster.example.com@EXAMPLE.COM
> 2 host/buildmaster.example.com@EXAMPLE.COM
> 2 host/buildmaster.example.com@EXAMPLE.COM
> 2 host/buildmaster@EXAMPLE.COM
> 2 host/buildmaster@EXAMPLE.COM
> 2 host/buildmaster@EXAMPLE.COM
> 2 BUILDMASTER$@EXAMPLE.COM
> 2 BUILDMASTER$@EXAMPLE.COM
> 2 BUILDMASTER$@EXAMPLE.COM
>
> The error message suggests to me some sort of hostname mismatch
> somewhere, but DNS (forward and reverse), the system hostname, and the
> servicePrincipalNames in AD are all consistent.
>
> The goal here is to be able to bind to an AD server using the stored
> host principal (rather than using shared credentials in
> /etc/ldap.conf, which seems to be the most common alternative to
> anonymous binds).
>
> Thanks for your help!
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
