Kerberos

greg greg at mail.gregs-garage.com
Wed Jul 15 17:47:54 UTC 2015 

Setting up a fresh install of FreeBSD 10.1 to run RT42 on Apache 2.4 
with PHP 5.6 & a MySQL 5.6 backend.  So far, so good.  Now trying to 
configure Apache to authenticate against a fresh install of Windows 2012 
using ap24-mod_auth_kerb2, and I'm running into a brick wall.

uname -a : FreeBSD ATBSD01 10.1-RELEASE-p10 FreeBSD 10.1-RELEASE-p10 #0: 
Wed May 13 06:54:13 UTC 2015     
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


So far I've created a user on the Windows domain to use in the keytab
I've configured my krb5.conf file
I've generated a keytab file on the Windows box, and installed it on the 
FreeBSD server, and configured Apache to use the keytab to authenticate 
a test directory, but so far, no luck.

To troubleshoot the config, I've been trying using the command line 
tools for Kerberos.

Here's my krb5.conf:

[libdefaults]
default_realm = EXAMPLE.LOCAL

[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL

[realms]
EXAMPLE.LOCAL = {
admin_server=ad01.example.local:749
kdc=ad01.example.local:88
}

Here's the command I ran on the windows box:

C:\Windows\system32>ktpass -princ HTTP/ad01.example.local at EXAMPLE.LOCAL 
-mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out 
:\temp\krb5.keytab

I then copy the krb5.keytab file to the /etc directory on the FreeBSD 
server, then run chown root:wheel on the file, and chmod 600.

 From the FreeBSD box, I can do the following:

$ kinit aduser
aduser at EXAMPLE.LOCAL's Password: P@$$word

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
         Principal: aduser at EXAMPLE.LOCAL
   Issued                Expires               Principal
Jul 15 12:06:49 2015  Jul 15 22:06:49 2015  
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL

It works.

However if I try:

$ kinit -k aduser

I get:

kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping

("kinit -t /etc/krb5.keytab aduser" returns the same)

I've tried to validate the keytab file by running:

$ ktutil list

and get the following:

Vno  Type              Principal                                      
Aliases
  27  arcfour-hmac-md5  HTTP/ad01.example.local at EXAMPLE.LOCAL

I get the same result if I run as root.

I've sat and combed through WireShark captures, and the only thing I 
notice is that if I run kinit without the keytab, I can see the windows 
server responding a single time with an error message of 
"KRB5KDC_ERR_PREAUTH_REQUIRED", it then continues through the 
communication and a ticket is created.  However if I attempt to use 
kinit and specify the keytab file, I see two 
"KRB5KDC_ERR_PREAUTH_REQUIRED" errors, one after the other, and the 
communication stops.

I'm guessing that either the password was never saved correctly to the 
keytab or kinit isn't reading / transmitting it to the Windows server.

I've tried multiple versions of the keytab file (as seen by the version 
number from kutil, this was attempt 28) with the same result.  I've 
tried specifying the encoding type, changing the username to 
domain\username, as well as username at domain.local, nothing seems to 
work.

Any ideas on how to progress from here?

Best regards.

Greg Groth

More information about the freebsd-questions mailing list