Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:58:27
|
Hello all, can this be the problem? http://support.microsoft.com/kb/870987 If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber But then i created the keytab, i get this information: C:\>ktpass -princ HTTP/ser...@DO...D -mapuser htt...@do...d -pass abc12345 -crypto RC4-HMAC-NT -ptype KRB5 _NT_PRINCIPAL -out krb5.keytab Targeting domain controller: RKDC01.domain.tld Successfully mapped HTTP/servername.domain.tld to http-servername-tld. Password succesfully set! Key created. Output keytab to krb5.keytab: Keytab version: 0x502 keysize 76 HTTP/ser...@DO...D ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xea847b34167fd797cac465a00a2d88b3) Why is the vno 3 from start ? On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm...> wrote: > Sorry to spam the list... > I just created a new user. > Created a new keytab (using the ktpass-util) > Copied keytab to apache and restarted the server. > > I still get this error in apache error.log: > [Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client > 192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key version number for > principal in key table is incorrect) > > How can the kvno be wrong, when user is just created and same with keytab? > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...> wrote: > >> Hello Douglas, thanks for your reply. >> If i create 2 accounts. >> >> One for http/servername.domain.int and one for http/servername.domain.ext >> Same server should be able to serve both "spn's". >> How will a do that? >> >> >> On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...>wrote: >> >>> >>> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >>> >>> Hello, >>> this is my first post to the mailing-list, so i hope i'm doing it the >>> right way. >>> >>> We have the following setup: >>> >>> KDC = Windows 2003R2 >>> >>> Kerberos enabled server: Ubuntu - Apache 2.4 >>> >>> Clients: Windows 7 - IE 8 >>> >>> The solution has been up running, but today i needed to add another >>> spn to the AD user, used when the keytab was created. >>> >>> >>> If this is your first attempt at using AD as the KDC for a service, keep >>> in mind that the MS docs talk about a "user" account >>> but the user in not a real user but an account representing a service. >>> Some people get confused. Your use of the >>> -mapuser us...@do...f looks like this type of confusion. >>> >>> Real users don't normally have SPNs. >>> >>> >>> I create my keytab with this windows command: >>> >>> ktpass -princ HTTP/ser...@DO...F -mapuser >>> us...@do...f -pass password -crypto RC4-HMAC-NT -ptype >>> KRB5_NT_PRINCIPAL -out krb5.keytab >>> >>> But after i added another SPN and created a new keytab, i see this >>> error in my apache error.log: >>> >>> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >>> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >>> minor_status:96c73ae6 >>> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client >>> IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor >>> code may provide more information (, Key version number for principal in >>> key table is incorrect) >>> >>> So my question is: >>> >>> What do i do about this error? >>> How do i debug any further? >>> >>> >>> Some thinks to keep in mind... >>> >>> An AD account has a single password used to generate keys on the >>> fly. >>> >>> An AD account has a single key version number. >>> >>> A SPN added to an account shares the password and KVNO with the UPN >>> for the account and all other SPNs on the account. >>> >>> On way to avoid this is to have separate service account with only one >>> SPN, and one matching keytab entry. >>> Pick a naming convention for these AD accounts, say <service>-<host> so >>> in you example, http-servername >>> >>> >>> You may also want to look at msktutil (Ubuntu has a packaged version), >>> or Samba utilities that allow you to update keytabs and AD accounts >>> rather the ktpass. >>> >>> >>> >>> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu >>> server. >>> But today i installed the krb-user package and when calling kvno >>> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >>> when creating the keytab. >>> >>> >>> You might just be seeing that the the user has cached tickets. You may >>> want to kinit again. >>> >>> >>> >>> Any help is appreciated. >>> >>> -- >>> Jakob Damgaard Olsen >>> Tlf: 24613112 >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> >>> >>> >>> _______________________________________________ >>> modauthkerb-help mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >>> >>> -- >>> >>> Douglas E. Engert <DEE...@an...> <DEE...@an...> >>> Argonne National Laboratory >>> 9700 South Cass Avenue >>> Argonne, Illinois 60439 >>> (630) 252-5444 >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into >>> your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> modauthkerb-help mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >>> >> >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > -- Jakob Damgaard Olsen Tlf: 24613112 |
