Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
|
From: Douglas E. E. <dee...@an...> - 2014-01-07 20:14:40
|
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 1/7/2014 1:17 PM, Jakob Olsen wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Hello,
<div>this is my first post to the mailing-list, so i hope i'm
doing it the right way.</div>
<div><br>
</div>
<div>We have the following setup:</div>
<div><br>
</div>
<div>KDC = Windows 2003R2</div>
<div><br>
</div>
<div>Kerberos enabled server: Ubuntu - Apache 2.4</div>
<div><br>
</div>
<div>Clients: Windows 7 - IE 8</div>
<div><br>
</div>
<div>The solution has been up running, but today i needed to add
another spn to the AD user, used when the keytab was created.</div>
</div>
</blockquote>
<br>
If this is your first attempt at using AD as the KDC for a service,
keep in mind that the MS docs talk about a "user" account<br>
but the user in not a real user but an account representing a
service. Some people get confused. Your use of the <br>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:us...@do...f">us...@do...f</a> looks like this type of confusion. <br>
<br>
Real users don't normally have SPNs. <br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I create my keytab with this windows command:</div>
<div><br>
</div>
<div>ktpass -princ <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ser...@DO...F">HTTP/ser...@DO...F</a>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:us...@do...f">us...@do...f</a> -pass password -crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL -out krb5.keytab<br>
</div>
<div><br>
</div>
<div>But after i added another SPN and created a new keytab, i
see this error in my apache error.log:</div>
<div><br>
</div>
<div>
<div>[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid
11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API
major_status:000d0000, minor_status:96c73ae6</div>
<div>[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid
11253] [client IP:PORT] gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more
information (, Key version number for principal in key table
is incorrect)</div>
</div>
<div><br>
</div>
<div>So my question is:</div>
<div><br>
</div>
<div>What do i do about this error?</div>
<div>How do i debug any further?</div>
</div>
</blockquote>
<br>
Some thinks to keep in mind...<br>
<br>
An AD account has a single password used to generate keys on
the fly. <br>
<br>
An AD account has a single key version number.<br>
<br>
A SPN added to an account shares the password and KVNO with the
UPN for the account and all other SPNs on the account. <br>
<br>
On way to avoid this is to have separate service account with only
one SPN, and one matching keytab entry. <br>
Pick a naming convention for these AD accounts, say
<service>-<host> so in you example, http-servername <br>
<br>
<br>
You may also want to look at msktutil (Ubuntu has a packaged
version), or Samba utilities that allow you to update keytabs and AD
accounts <br>
rather the ktpass. <br>
<br>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Normally i dont have klist, ktutil, kadmin etc installed on
the ubuntu server.</div>
<div>But today i installed the krb-user package and when calling
kvno HTTP/servername.domain.tld i see the same kvno, as the
ktpass is writing when creating the keytab.</div>
</div>
</blockquote>
<br>
You might just be seeing that the the user has cached tickets. You
may want to kinit again. <br>
<br>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any help is appreciated.</div>
<div>
<div><br>
</div>
-- <br>
Jakob Damgaard Olsen<br>
Tlf: 24613112
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
modauthkerb-help mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/modauthkerb-help">https://lists.sourceforge.net/lists/listinfo/modauthkerb-help</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@an..."><DEE...@an...></a>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444</pre>
</body>
</html>
|
