[33259] in Kerberos
Re: trouble with msktutil and Windows 2008 AD
daemon@ATHENA.MIT.EDU (Rohit Kumar Mehta)
Thu Mar 10 12:26:25 2011
Message-ID: <4D7909B6.6070903@engr.uconn.edu>
Date: Thu, 10 Mar 2011 12:26:14 -0500
From: Rohit Kumar Mehta <rohitm@engr.uconn.edu>
MIME-Version: 1.0
To: <kerberos@mit.edu>
In-Reply-To: <4D779855.7050903@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Doug, you are correct. I got my copy of msktutil sourced from the git
server referenced from fuhm.net.
I did not mention that I had already tried the version you referenced
(0.3.16) with a similar error. I have re-tested with that version
(0.3.16) and also watched the traffic between my test AD and my test-nfs
server with wireshark. I do see some kerberos traffic, some ldap
traffic, and that same KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for
ldap/test-dc1.tad.engr.uconn.edu
Is it possible I made a mistake configuring the AD? It does seem to be
be running an LDAP server. I'm not sure if it's supposed to have an
ldap service principal by default.
root@test-nfs:~/build/msktutil-0.3.16# kinit
Administrator@TAD.ENGR.UCONN.EDU
Password for Administrator@TAD.ENGR.UCONN.EDU:
root@test-nfs:~/build/msktutil-0.3.16# ./msktutil -c -s nfs -s host -u
--server 137.99.15.89
Error: ldap_set_option failed (Local error)
Error: ldap_connect failed
root@test-nfs:~/build/msktutil-0.3.16# ./msktutil -c -s nfs -s host -u
--server 137.99.15.89 --verbose
-- init_password: Wiping the computer password structure
-- finalize_exec: Determining user principal name
-- finalize_exec: User Principal Name is:
host/test-nfs.tad.engr.uconn.edu@TAD.ENGR.UCONN.EDU
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.mskt-10521krb5.conf
-- get_krb5_context: Creating Kerberos Context
-- try_machine_keytab: Using the local credential cache:
/tmp/.mskt-10521krb5_ccache
-- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not
found in Kerberos database)
-- try_machine_keytab: Unable to authenticate using the local keytab
-- try_ldap_connect: Connecting to LDAP server: 137.99.15.89
-- try_ldap_connect: Connecting to LDAP server: 137.99.15.89
SASL/GSSAPI authentication started
Error: ldap_set_option failed (Local error)
Error: ldap_connect failed
-- krb5_cleanup: Destroying Kerberos Context
-- ldap_cleanup: Disconnecting from LDAP server
-- init_password: Wiping the computer password structure
root@test-nfs:~/build/msktutil-0.3.16#
Douglas E. Engert wrote:
>
> On 3/8/2011 9:19 AM, Rohit Kumar Mehta wrote:
>> From reading this list, it seems like msktutil is a much better
>> solution for managing Linux service principles in an AD than using
>> KTPASS.EXE. However, I seem to be having some difficulties.
>>
>> I set up a test AD with the domain TAD.ENGR.UCONN.EDU, and I'm trying to
>> create some service principles for my test-nfs server. So on my test
>> Linux server (running Ubuntu Lucid), I downloaded msktutil from git (I
>> believe version 0.4), compiled, did a kinit
>> Administrator@TAD.ENGR.UCONN.EDU, and then tried to run msktutil.This
>> is what I get:
> If this is from
> http://fuhm.net/software/msktutil/
> I have not tried it, but it says it is based on this version:
> http://download.systemimager.org/~finley/msktutil/
> Which is what we are using.
>
>> root@test-nfs:~/build/f/msktutil# ./msktutil --precreate --hostname
>> test-nfs.tad.engr.uconn.edu -s host -s nfs --server 137.99.15.89 --verbose
>> -- init_password: Wiping the computer password structure
>> -- get_default_keytab: Obtaining the default keytab name:
>> FILE:/etc/krb5.keytab
>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>> /tmp/.msktkrb5.conf-mc2Qvi
>> -- reload: Reloading Kerberos Context
>> -- get_short_hostname: Determined short hostname: test-nfs
>> -- finalize_exec: SAM Account Name is: test-nfs$
>> -- try_user_creds: Checking if default ticket cache has tickets...
>> -- finalize_exec: Authenticated using method 4
>>
>> -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=YES
>> -- ldap_connect: Connecting to LDAP server: 137.99.15.89 try_tls=NO
>> SASL/GSSAPI authentication started
>> Error: ldap_sasl_interactive_bind_s failed (Local error)
>> Error: ldap_connect failed
>> --> Is your kerberos ticket expired? You might try re-"kinit"ing.
>> -- ~KRB5Context: Destroying Kerberos Context
>> root@test-nfs:~/build/f/msktutil#
>>
>> Looking at wireshark I see a bunch of errors like
>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. It looks like msktutil is trying to
>> connect get authorized for this service
>> ldap/test-dc1.tad.engr.uconn.edu. Given that Microsoft Active Directory
>> provides LDAP. I'm not sure why that is a problem.
> I have never used the --precreate option. But msktutil will need to be run
> using a Kerberos ticket for an AD admin, as it needs to update AD. So you
> need to run kinit before running msktutil. (After a keytab has been created,
> and you are updaqting the keys, msktutil will try and use it first.)
>
>> Am I doing anything obviously wrong? If so I appreciate any help. Thanks!
>>
>> Rohit
>>
--
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031
Office: (860) 486 - 2331
Fax: (860) 486 - 1273
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
