[32386] in Kerberos
Re: Loading host service principal from /etc/krb5.keytab?
daemon@ATHENA.MIT.EDU (Kyley Engle)
Tue May 25 10:58:43 2010
Message-ID: <SNT102-DS17F3602E99B6576344F6CB97E80@phx.gbl>
From: "Kyley Engle" <kyley_engle@hotmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>,
"Lars Kellogg-Stedman" <lars@oddbit.com>
In-Reply-To: <4BFBE0A6.7020001@anl.gov>
Date: Tue, 25 May 2010 07:58:38 -0700
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
when you are trying to kinit with a keytab, you need to use the -t flag. in
our environment, Linux workstation and Windows domain controllers as root I
can:
kinit -k -t /etc/krb5.keytab
and get a TGT
-kyley
--------------------------------------------------
From: "Douglas E. Engert" <deengert@anl.gov>
Sent: Tuesday, May 25, 2010 7:37 AM
To: "Lars Kellogg-Stedman" <lars@oddbit.com>
Cc: <kerberos@mit.edu>
Subject: Re: Loading host service principal from /etc/krb5.keytab?
>
>
> Lars Kellogg-Stedman wrote:
>> Hello all,
>>
>> Should it be possible to load the host service principal from
>> /etc/krb5.keytab for the purpose of authenticating against an Active
>> Directory server? That is, should I expect this to work?
>>
>> kinit -k host/buildmaster.example.com@EXAMPLE.COM
>
> AD will look for an account where the principal matches the
> userPrincipalName attribute, or where the principal will match
> samAccountName@DOMAIN
>
> I suspect that in your case the userPrincipalName (if any) is
> host/buildmaster@EXAMPLE.COM and the sAMAccountName is BUILDMASTER$
> so kinit -k host/buildmaster@EXAMPLE.COM may work
> and kinit -k BUILDMASTER$@EXAMPLE.COM
> should work.
>
> For machine that is not Windows you could change the userPrincipalName
> attribute on the account to host/buildmaster.example.com@EXAMPLE.COM
>
>>
>> I invariably receive the following error message:
>>
>> kinit(v5): Client not found in Kerberos database while getting
>> initial credentials
>>
>> Everything else seems to be working fine (I can kinit as a user, and
>> those credentials are accepted for access to the server). The
>> specified principal is listed by 'klist -k':
>>
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>> 2 host/buildmaster.example.com@EXAMPLE.COM
>> 2 host/buildmaster.example.com@EXAMPLE.COM
>> 2 host/buildmaster.example.com@EXAMPLE.COM
>> 2 host/buildmaster@EXAMPLE.COM
>> 2 host/buildmaster@EXAMPLE.COM
>> 2 host/buildmaster@EXAMPLE.COM
>> 2 BUILDMASTER$@EXAMPLE.COM
>> 2 BUILDMASTER$@EXAMPLE.COM
>> 2 BUILDMASTER$@EXAMPLE.COM
>>
>> The error message suggests to me some sort of hostname mismatch
>> somewhere, but DNS (forward and reverse), the system hostname, and the
>> servicePrincipalNames in AD are all consistent.
>>
>> The goal here is to be able to bind to an AD server using the stored
>> host principal (rather than using shared credentials in
>> /etc/ldap.conf, which seems to be the most common alternative to
>> anonymous binds).
>>
>> Thanks for your help!
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
