Hi,
I am stumped as to what is wrong with my Kerberos authentication.
What I am trying to do is get Kerberos working so I can then use
mod_auth_kerb with Apache to authenticate our domain users.
I have compiled and installed MIT Kerberos 1.5.4, on Solaris 9, and
configured my /etc/krb5.conf as follows:
[libdefaults]
default_realm = CORP.FC.LOCAL
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[domain_realm]
.fc.fujitsu.com = CORP.FC.LOCAL
[realms]
CORP.FC.LOCAL = {
admin_server = dc.corp.fc.local:464
kdc = dc.corp.fc.local:88
kpasswd_server = dc.corp.fc.local:464
}
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
I tested with the kinit command and I am able to get a Kerberos ticket
with my own domain ID and password:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit seelypet
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
03/25/08 11:12:26 03/25/08 21:12:31 krbtgt/
[EMAIL PROTECTED]
renew until 03/26/08 11:12:26, Etype (skey, tkt): DES cbc mode
with RSA-MD5, ArcFour with HMAC/md5
We have created a user to be used for the Apache Kerberos
authentication in Active Directory (Windows 2003 SP1) with the
following properties:
- User cannot change password
- Password never expires
- Use DES encryption types with this account
- Does not require Kerberos preauthentication
I am able to get a Kerberos ticket with this account when I supply the
password:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit Apache-DBA.Account
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
03/25/08 11:14:31 03/25/08 21:14:31 krbtgt/
[EMAIL PROTECTED]
renew until 03/26/08 11:14:31, Etype (skey, tkt): DES cbc mode
with RSA-MD5, ArcFour with HMAC/md5
We generated a keytab file on the Active Directory DC for this
account, to map to service principal HTTP/fc650dr.fc.fujitsu.com,
with the following command
ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser CORP
\Apache-DBA.Account -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
passw0rd -out c:\ktpass\fc650drkeytabv4
I verified that, in Active Directory, the "User login name" shows HTTP/
fc650dr.fc.fujitsu.com, indicating that the mapping was made.
The keytab file was transferred to the Solaris server. When I try to
use the keytab file, this is the result:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit -kt fc650drkeytabv4 HTTP/
fc650dr.fc.fujitsu.com
kinit(v5): Password incorrect while getting initial credentials
However I am able to get a Kerberos ticket using the SPN shown, when I
supply the password:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit HTTP/fc650dr.fc.fujitsu.com
Password for HTTP/[EMAIL PROTECTED]:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[EMAIL PROTECTED]
Valid starting Expires Service principal
03/25/08 11:21:30 03/25/08 21:21:30 krbtgt/
[EMAIL PROTECTED]
renew until 03/26/08 11:21:30, Etype (skey, tkt): DES cbc mode
with RSA-MD5, ArcFour with HMAC/md5
The kvno in the keytab looks like it matches the ticket being given by
AD:
[EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -kt fc650drkeytabv4
Keytab name: FILE:fc650drkeytabv4
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
2 12/31/69 20:00:00 HTTP/[EMAIL PROTECTED]
[EMAIL PROTECTED]:/usr/www/kerberos/bin # kvno HTTP/fc650dr.fc.fujitsu.com
HTTP/[EMAIL PROTECTED]: kvno = 2
I tried creating a keytab on the Solaris machine using ktutil with
this command:
addent -password -p HTTP/[EMAIL PROTECTED] -k 2 -e
des-cbc-md5
but the result is the same as above when testing with this keytab
also.
Any idea what can be wrong here? Any ideas much appreciated.
Thanks.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
