Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Create keytab with multiple servicePrincipalNames
|
From: Jakob O. <ja...@gm...> - 2014-01-15 08:17:37
|
Hello Douglas, so fare it looks like the problem is solved. And it works with two spn's. Thanks man... On Tue, Jan 14, 2014 at 10:40 PM, Douglas E. Engert <dee...@an...>wrote: > > > On 1/7/2014 2:22 PM, Jakob Olsen wrote: > >> Hello Douglas, thanks for your reply. >> If i create 2 accounts. >> >> One for http/servername.domain.int <http://servername.domain.int> and >> one for http/servername.domain.ext >> >> Same server should be able to serve both "spn's". >> How will a do that? >> > > Sorry abont the late reply. > > But yes it could, if you combine the two keytab files. MIT's ktutil can do > that. > > You would also have to look closely at how the calls to > gss_accept_sec_context > handles the acceptor_cred_handle parameter. Its been a long time, but IIRC > it can > be null and the lower level kerberos may be able to use any keytab entry. > > >> >> On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...<mailto: >> dee...@an...>> wrote: >> >> >> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> >>> Hello, >>> this is my first post to the mailing-list, so i hope i'm doing it >>> the right way. >>> >>> We have the following setup: >>> >>> KDC = Windows 2003R2 >>> >>> Kerberos enabled server: Ubuntu - Apache 2.4 >>> >>> Clients: Windows 7 - IE 8 >>> >>> The solution has been up running, but today i needed to add another >>> spn to the AD user, used when the keytab was created. >>> >> >> If this is your first attempt at using AD as the KDC for a service, >> keep in mind that the MS docs talk about a "user" account >> but the user in not a real user but an account representing a >> service. Some people get confused. Your use of the >> -mapuser us...@do... <mailto:us...@do...> looks like this >> type of confusion. >> >> >> Real users don't normally have SPNs. >> >>> >>> I create my keytab with this windows command: >>> >>> ktpass -princ HTTP/ser...@DO... <mailto:HTTP >>> /ser...@DO...> -mapuser us...@do... <mailto: >>> us...@do...> -pass password -crypto RC4-HMAC-NT -ptype >>> >>> KRB5_NT_PRINCIPAL -out krb5.keytab >>> >>> But after i added another SPN and created a new keytab, i see this >>> error in my apache error.log: >>> >>> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >>> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >>> minor_status:96c73ae6 >>> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] >>> [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. >>> Minor code may provide more information (, Key version >>> number for principal in key table is incorrect) >>> >>> So my question is: >>> >>> What do i do about this error? >>> How do i debug any further? >>> >> >> Some thinks to keep in mind... >> >> An AD account has a single password used to generate keys on >> the fly. >> >> An AD account has a single key version number. >> >> A SPN added to an account shares the password and KVNO with the >> UPN for the account and all other SPNs on the account. >> >> On way to avoid this is to have separate service account with only >> one SPN, and one matching keytab entry. >> Pick a naming convention for these AD accounts, say <service>-<host> >> so in you example, http-servername >> >> >> You may also want to look at msktutil (Ubuntu has a packaged >> version), or Samba utilities that allow you to update keytabs and AD >> accounts >> rather the ktpass. >> >> >> >>> Normally i dont have klist, ktutil, kadmin etc installed on the >>> ubuntu server. >>> But today i installed the krb-user package and when calling kvno >>> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >>> when creating the keytab. >>> >> >> You might just be seeing that the the user has cached tickets. You >> may want to kinit again. >> >> >> >>> Any help is appreciated. >>> >>> -- >>> Jakob Damgaard Olsen >>> Tlf: 24613112 >>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Rapidly troubleshoot problems before they affect your business. Most >>> IT >>> organizations don't have a clear picture of how application >>> performance >>> affects their revenue. With AppDynamics, you get 100% visibility >>> into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu= >>> /4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> modauthkerb-help mailing list >>> mod...@li... <mailto:modauthkerb-help@ >>> lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >> >> -- >> >> Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> >> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 <tel:%28630%29%20252-5444> >> >> >> >> ------------------------------------------------------------ >> ------------------ >> Rapidly troubleshoot problems before they affect your business. Most >> IT >> organizations don't have a clear picture of how application >> performance >> affects their revenue. With AppDynamics, you get 100% visibility into >> your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >> AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu= >> /4140/ostg.clktrk >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:modauthkerb-help@ >> lists.sourceforge.net> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@gm...> > > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > -- Jakob Damgaard Olsen Tlf: 24613112 |
