Kerberos

[Greg Groth]

On 2015-07-21 08:42, Greg Groth wrote:
> On 2015-07-17 05:04, Raimund Sacherer wrote:
>> Hello Greg,
>> 
>> on a first glance I can't see anything really out of order, if it
>> helps, I use(d) this pages to setup kerberos and apache auth:
>> http://www.grolmsnet.de/kerbtut/
>> http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/
>> 
>> The account you create for the service principal has to be a user
>> account, it does not work with a machine account.
>> 
>> If you authenticate without the key tab, just a user from the ad
>> (create a user and test a kinit user at EXAMPLE.COM, later klist). Check
>> if a simple user authentication works in the first place.
>> 
>> Hope that this will help you in any way,
>> 
>> Best
>> Ray
> 
> Many thanks for replying.
> 
> I have to be doing something wrong with the ktpass command on the DC,
> but for the life of me, I'm not sure what the issue is.
> 
> I created a user named aduser, and can obtain a ticket by using kinit
> aduser at EXAMPLE.COM from the BSD server, but using kinit -k aduser or
> kinit -t /etc/krb5.keytab aduser always returns "kinit:
> krb5_get_init_creds: Already tried ENC-TS-info, looping"
> 
> This is what I've been trying on the DC to create a keytab file:
> 
> ktpass /princ HTTP/atbsd.example.com at EXAMPLE.COM /mapuser
> aduser at EXAMPLE.COM /pass P@$$word /crypto RC4-HMAC-NT /ptype
> RB5_NT_PRINCIPAL /out C:\temp\krb5.keytab
> 
> Once I run the command on the DC, the userPrincipalName for aduser
> gets replaced with "HTTP/atbsd.example.com".  Does the
> servicePrincipalName need to be set to the same as well?  I've tried
> it with the UPN sert, the SPN set, and both the UPN & SPN set to
> "HTTP/atbsd.example.com", but it doesn't seem to make a difference.
> 
> When I run ktutil list --keys on the BSD box, I get:
> Vno  Type              Principal
> Key                               Aliases
>  32  arcfour-hmac-md5  HTTP/atbsd.example.com at EXAMPLE.COM
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> 
> I thought I read somewhere that the DC is looking for a match on the
> UPN, which appears to be identical.  The only other troubleshooting
> I've been able to do is to use a packet sniffer, and it appears that
> the DC is waiting for a password which is never supplied?
> 
> I have not installed the krb5 port, and have been using whatever
> version is installed in the base distro (heimdal?).  I noted on the
> TechNet page at MS that ktpass is based on the MIT version of
> Kerberos.  Do I need the krb5 port in place of whatever version is
> included in the base distro to get this to work?
> 
> Best regards,
> 
> Greg Groth

Making progress.  Installed the MIT Kerberos port, which has better 
error reporting back to stdout (IMHO) that helped me track down the 
issue.

  Apparently running "kinit -k" defaults the service in the principal 
name of the request to "host".  I had created my keytab for a service of 
"HTTP", which was why "kinit -k" was failing, where "kinit -k 
HTTP/atbsd.example.com" worked like a charm.

  I then went back and recreated the keytab on the windows box using 
"/princ host/atbsd.example.com at EXAMPLE.COM" the resultant keytab, once 
installed, would work with just "kinit -k".

  I'm sure these differentiations are noted in the documentation that has 
been provided, but somewhere I must have assumed that kinit was reading 
the service of the principal name in the keytab file, and creating a 
request based on the values provided.

Many thanks again to all who gave their assistance.

Best regards,

Greg Groth