Kerberos
Greg Groth
ggroth at gregs-garage.com
Fri Jul 17 00:45:19 UTC 2015
On 2015-07-16 02:12, Raimund Sacherer wrote:
> Hello Greg,
>
>> C:\Windows\system32>ktpass -princ
>> HTTP/ad01.example.local at EXAMPLE.LOCAL
>> -mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out
>> :\temp\krb5.keytab
>
> For what its worth, we have a couple of servers authenticating against
> an 2012 domain and we create the key tab file like this:
> setspn -A HTTP/service.host.name windowsusername
>
> ktpass -out key.tab -princ HTTP/service.host.name at EXAMPLE.LOCAL
> -mapUser windowsuser -mapOp set -pass password -crypto RC4-HMAC-NT
> -pType KRB5_NT_PRINCIPAL
>
>
> At times we have instead of RC4-HMAC-NT set ALL.
>
> Hope this helps,
>
> best
Many, many thanks for answering. I tried the following from the
commandline on the 2012 DC as Admin:
C:\setspn -A HTTP/ad01.example.local aduser
Checking domain DC=example,DC=local
Registering ServicePrincipalNames for
CN=ADUSER,CN=Users,DC=example,DC=local
HTTP/ad01.example.local
Updated object
C:\ktpass -out C:\temp\krb5.keytab -princ
HTTP/aduser.example.local at EXAMPLE.LOCAL -mapUser aduser -mapOp set -pass
P@$$word -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Targeting domain controller: AD01.example.local
Using legacy password setting method
Successfully mapped HTTP/aduser.example.local to aduser.
Key created.
Output keytab to C:\temp\krb5.keytab:
Keytab version: 0x502
keysize 80 HTTP/aduser.example.local at EXAMPLE.LOCAL ptype 1
(KRB5_NT_PRINCIPAL) vno 29 etype 0x17 (RC4-HMAC) keylength 16
(0x923174d28eac78c4c29e92663ad82c2e)
Copied the keytab to the /etc on the FreeBSD box (chown root:wheel /
chmod600) and tried the following as root:
root at BSD01:/ # kinit -k aduser
kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping
("root at BSD01:/ # kinit -t /etc/krb5.keytab aduser" returns the same)
if I try a bogus user:
root at BSD01:/ # kinit -k bogususer
kinit: krb5_get_init_creds: Client (bogususer at EXAMPLE.LOCAL) unknown
It looks like it's communicating, and locating the user correctly, but
something is going awry with the authentication? I've reset the
password on the AD multiple times, and have verified I can log onto a
workstation located in the "EXAMPLE" domain with the "aduser"
credentials. Are there perhaps other permissions that need to be
assigned on the DC to "aduser" in order to get this to work?
Best regards,
Greg Groth
More information about the freebsd-questions
mailing list