Kerberos
greg
greg at mail.gregs-garage.com
Wed Jul 15 17:47:54 UTC 2015
Setting up a fresh install of FreeBSD 10.1 to run RT42 on Apache 2.4
with PHP 5.6 & a MySQL 5.6 backend. So far, so good. Now trying to
configure Apache to authenticate against a fresh install of Windows 2012
using ap24-mod_auth_kerb2, and I'm running into a brick wall.
uname -a : FreeBSD ATBSD01 10.1-RELEASE-p10 FreeBSD 10.1-RELEASE-p10 #0:
Wed May 13 06:54:13 UTC 2015
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
So far I've created a user on the Windows domain to use in the keytab
I've configured my krb5.conf file
I've generated a keytab file on the Windows box, and installed it on the
FreeBSD server, and configured Apache to use the keytab to authenticate
a test directory, but so far, no luck.
To troubleshoot the config, I've been trying using the command line
tools for Kerberos.
Here's my krb5.conf:
[libdefaults]
default_realm = EXAMPLE.LOCAL
[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL
[realms]
EXAMPLE.LOCAL = {
admin_server=ad01.example.local:749
kdc=ad01.example.local:88
}
Here's the command I ran on the windows box:
C:\Windows\system32>ktpass -princ HTTP/ad01.example.local at EXAMPLE.LOCAL
-mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out
:\temp\krb5.keytab
I then copy the krb5.keytab file to the /etc directory on the FreeBSD
server, then run chown root:wheel on the file, and chmod 600.
From the FreeBSD box, I can do the following:
$ kinit aduser
aduser at EXAMPLE.LOCAL's Password: P@$$word
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: aduser at EXAMPLE.LOCAL
Issued Expires Principal
Jul 15 12:06:49 2015 Jul 15 22:06:49 2015
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
It works.
However if I try:
$ kinit -k aduser
I get:
kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping
("kinit -t /etc/krb5.keytab aduser" returns the same)
I've tried to validate the keytab file by running:
$ ktutil list
and get the following:
Vno Type Principal
Aliases
27 arcfour-hmac-md5 HTTP/ad01.example.local at EXAMPLE.LOCAL
I get the same result if I run as root.
I've sat and combed through WireShark captures, and the only thing I
notice is that if I run kinit without the keytab, I can see the windows
server responding a single time with an error message of
"KRB5KDC_ERR_PREAUTH_REQUIRED", it then continues through the
communication and a ticket is created. However if I attempt to use
kinit and specify the keytab file, I see two
"KRB5KDC_ERR_PREAUTH_REQUIRED" errors, one after the other, and the
communication stops.
I'm guessing that either the password was never saved correctly to the
keytab or kinit isn't reading / transmitting it to the Windows server.
I've tried multiple versions of the keytab file (as seen by the version
number from kutil, this was attempt 28) with the same result. I've
tried specifying the encoding type, changing the username to
domain\username, as well as username at domain.local, nothing seems to
work.
Any ideas on how to progress from here?
Best regards.
Greg Groth
More information about the freebsd-questions
mailing list