Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
|
From: Jakob O. <ja...@gm...> - 2014-01-08 06:56:48
|
Thanks Douglas, i was "that" easy... :) Have seen the error message so many times: Key version number for principal in key table is incorrect And everytime i throught the keytab was the problem. When i removed the old ticket, the kerberos was working again. Thanks. On Tue, Jan 7, 2014 at 11:06 PM, Douglas E. Engert <dee...@an...> wrote: > > > On 1/7/2014 2:58 PM, Jakob Olsen wrote: > > Hello all, > > can this be the problem? > > > > http://support.microsoft.com/kb/870987 > > > > If i open adsiedit.msc and find the user, there is no: > msDS-KeyVersionNumber > > But then i created the keytab, i get this information: > > > > C:\>ktpass -princ HTTP/ser...@DO...D -mapuser > htt...@do...d -pass abc12345 -crypto RC4-HMAC-NT -ptype > KRB5 > > _NT_PRINCIPAL -out krb5.keytab > > Targeting domain controller: RKDC01.domain.tld > > Successfully mapped HTTP/servername.domain.tld to http-servername-tld. > > Password succesfully set! > > Key created. > > Output keytab to krb5.keytab: > > Keytab version: 0x502 > > keysize 76 HTTP/ser...@DO...D ptype 1 > (KRB5_NT_PRINCIPAL) > > vno 3 etype 0x17 (RC4-HMAC) keylength 16 > (0xea847b34167fd797cac465a00a2d88b3) > > > > Why is the vno 3 from start ? > > Not sure, but that is common with AD. I suspect: > 1 when created, > 2 when the account password was changed (It should be set to not expire) > 3 when you did the ktpass. > > > > > > > > On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm... <mailto: > ja...@gm...>> wrote: > > > > Sorry to spam the list... > > I just created a new user. > > Created a new keytab (using the ktpass-util) > > Copied keytab to apache and restarted the server. > > > > I still get this error in apache error.log: > > [Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>] > [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 < > http://192.168.128.68:51686>] gss_accept_sec_context() failed: > Unspecified GSS > > failure. Minor code may provide more information (, Key version > number for principal in key table is incorrect) > > > > How can the kvno be wrong, when user is just created and same with > keytab? > > Did the client have cached tickets with an older kvno? > W7 has a klist tickets > command, but does not show the kvno, but does show the time the ticket was > obtained. > Make sure the time is after the time you ran the last ktpass for the SPN. > > > > > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...<mailto: > ja...@gm...>> wrote: > > > > Hello Douglas, thanks for your reply. > > If i create 2 accounts. > > > > One for http/servername.domain.int <http://servername.domain.int> > and one for http/servername.domain.ext > > Same server should be able to serve both "spn's". > > How will a do that? > > > > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert < > dee...@an... <mailto:dee...@an...>> wrote: > > > > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: > >> Hello, > >> this is my first post to the mailing-list, so i hope i'm > doing it the right way. > >> > >> We have the following setup: > >> > >> KDC = Windows 2003R2 > >> > >> Kerberos enabled server: Ubuntu - Apache 2.4 > >> > >> Clients: Windows 7 - IE 8 > >> > >> The solution has been up running, but today i needed to add > another spn to the AD user, used when the keytab was created. > > > > If this is your first attempt at using AD as the KDC for a > service, keep in mind that the MS docs talk about a "user" account > > but the user in not a real user but an account representing > a service. Some people get confused. Your use of the > > -mapuser us...@do...f <mailto:us...@do...f> looks > like this type of confusion. > > > > Real users don't normally have SPNs. > >> > >> I create my keytab with this windows command: > >> > >> ktpass -princ HTTP/ser...@DO...F<mailto: > HTTP/ser...@DO...F> -mapuser us...@do...f <mailto: > us...@do...f> -pass password -crypto RC4-HMAC-NT > >> -ptype KRB5_NT_PRINCIPAL -out krb5.keytab > >> > >> But after i added another SPN and created a new keytab, i > see this error in my apache error.log: > >> > >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid > 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API > major_status:000d0000, minor_status:96c73ae6 > >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid > 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key > >> version number for principal in key table is incorrect) > >> > >> So my question is: > >> > >> What do i do about this error? > >> How do i debug any further? > > > > Some thinks to keep in mind... > > > > An AD account has a single password used to generate > keys on the fly. > > > > An AD account has a single key version number. > > > > A SPN added to an account shares the password and KVNO > with the UPN for the account and all other SPNs on the account. > > > > On way to avoid this is to have separate service account > with only one SPN, and one matching keytab entry. > > Pick a naming convention for these AD accounts, say > <service>-<host> so in you example, http-servername > > > > > > You may also want to look at msktutil (Ubuntu has a packaged > version), or Samba utilities that allow you to update keytabs and AD > accounts > > rather the ktpass. > > > > > >> > >> Normally i dont have klist, ktutil, kadmin etc installed on > the ubuntu server. > >> But today i installed the krb-user package and when calling > kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is > writing when creating the keytab. > > > > You might just be seeing that the the user has cached > tickets. You may want to kinit again. > > > > > >> > >> Any help is appreciated. > >> > >> -- > >> Jakob Damgaard Olsen > >> Tlf: 24613112 > >> > >> > >> > ------------------------------------------------------------------------------ > >> Rapidly troubleshoot problems before they affect your > business. Most IT > >> organizations don't have a clear picture of how application > performance > >> affects their revenue. With AppDynamics, you get 100% > visibility into your > >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL > of AppDynamics Pro! > >> > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > >> > >> > >> _______________________________________________ > >> modauthkerb-help mailing list > >> mod...@li... <mailto: > mod...@li...> > >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > > > Douglas E. Engert<DEE...@an...> <mailto: > DEE...@an...> > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 <tel:%28630%29%20252-5444> > > > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your > business. Most IT > > organizations don't have a clear picture of how application > performance > > affects their revenue. With AppDynamics, you get 100% > visibility into your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL > of AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... <mailto: > mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into > your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@gm...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > -- Jakob Damgaard Olsen Tlf: 24613112 |
