Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
|
From: Douglas E. E. <dee...@an...> - 2014-01-14 21:40:11
|
On 1/7/2014 2:22 PM, Jakob Olsen wrote: > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? Sorry abont the late reply. But yes it could, if you combine the two keytab files. MIT's ktutil can do that. You would also have to look closely at how the calls to gss_accept_sec_context handles the acceptor_cred_handle parameter. Its been a long time, but IIRC it can be null and the lower level kerberos may be able to use any keytab entry. > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an... <mailto:dee...@an...>> wrote: > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. > > If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. Some people get confused. Your use of the > -mapuser us...@do...f <mailto:us...@do...f> looks like this type of confusion. > > Real users don't normally have SPNs. >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO...F <mailto:HTTP/ser...@DO...F> -mapuser us...@do...f <mailto:us...@do...f> -pass password -crypto RC4-HMAC-NT -ptype >> KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version >> number for principal in key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. >> But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. > > You might just be seeing that the the user has cached tickets. You may want to kinit again. > > >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- > > Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 -- Douglas E. Engert <DEE...@an...> <DEE...@gm...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
