On Mar 25, 12:00 pm, "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > Your problem might be a bad version of ktpass. > Seehttp://support.microsoft.com/kb/919557 > > "You receive pre-authentication errors when you use > keytab files that are generated by using the Ktpass.exe > tool on a Windows Server 2003 SP1-based computer" > > > > PS wrote: > > Hi, > > > I am stumped as to what is wrong with my Kerberos authentication. > > What I am trying to do is get Kerberos working so I can then use > > mod_auth_kerb with Apache to authenticate our domain users. > > > I have compiled and installed MIT Kerberos 1.5.4, on Solaris 9, and > > configured my /etc/krb5.conf as follows: > > [libdefaults] > > default_realm = CORP.FC.LOCAL > > default_tkt_enctypes = des-cbc-md5 des-cbc-crc > > default_tgs_enctypes = des-cbc-md5 des-cbc-crc > > > [domain_realm] > > .fc.fujitsu.com = CORP.FC.LOCAL > > > [realms] > > CORP.FC.LOCAL = { > > admin_server = dc.corp.fc.local:464 > > kdc = dc.corp.fc.local:88 > > kpasswd_server = dc.corp.fc.local:464 > > } > > > [logging] > > kdc = FILE:/var/log/kerberos/krb5kdc.log > > admin_server = FILE:/var/log/kerberos/kadmin.log > > default = FILE:/var/log/kerberos/krb5lib.log > > > I tested with the kinit command and I am able to get a Kerberos ticket > > with my own domain ID and password: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit seelypet > > Password for [EMAIL PROTECTED]: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -e > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: [EMAIL PROTECTED] > > > Valid starting Expires Service principal > > 03/25/08 11:12:26 03/25/08 21:12:31 krbtgt/ > > [EMAIL PROTECTED] > > renew until 03/26/08 11:12:26, Etype (skey, tkt): DES cbc mode > > with RSA-MD5, ArcFour with HMAC/md5 > > > We have created a user to be used for the Apache Kerberos > > authentication in Active Directory (Windows 2003 SP1) with the > > following properties: > > - User cannot change password > > - Password never expires > > - Use DES encryption types with this account > > - Does not require Kerberos preauthentication > > > I am able to get a Kerberos ticket with this account when I supply the > > password: > > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit Apache-DBA.Account > > Password for [EMAIL PROTECTED]: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -e > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: [EMAIL PROTECTED] > > > Valid starting Expires Service principal > > 03/25/08 11:14:31 03/25/08 21:14:31 krbtgt/ > > [EMAIL PROTECTED] > > renew until 03/26/08 11:14:31, Etype (skey, tkt): DES cbc mode > > with RSA-MD5, ArcFour with HMAC/md5 > > > We generated a keytab file on the Active Directory DC for this > > account, to map to service principal HTTP/fc650dr.fc.fujitsu.com, > > with the following command > > ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser CORP > > \Apache-DBA.Account -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass > > passw0rd -out c:\ktpass\fc650drkeytabv4 > > > I verified that, in Active Directory, the "User login name" shows HTTP/ > > fc650dr.fc.fujitsu.com, indicating that the mapping was made. > > > The keytab file was transferred to the Solaris server. When I try to > > use the keytab file, this is the result: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit -kt fc650drkeytabv4 HTTP/ > > fc650dr.fc.fujitsu.com > > kinit(v5): Password incorrect while getting initial credentials > > > However I am able to get a Kerberos ticket using the SPN shown, when I > > supply the password: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # kinit HTTP/fc650dr.fc.fujitsu.com > > Password for HTTP/[EMAIL PROTECTED]: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -e > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: HTTP/[EMAIL PROTECTED] > > > Valid starting Expires Service principal > > 03/25/08 11:21:30 03/25/08 21:21:30 krbtgt/ > > [EMAIL PROTECTED] > > renew until 03/26/08 11:21:30, Etype (skey, tkt): DES cbc mode > > with RSA-MD5, ArcFour with HMAC/md5 > > > The kvno in the keytab looks like it matches the ticket being given by > > AD: > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # klist -kt fc650drkeytabv4 > > Keytab name: FILE:fc650drkeytabv4 > > KVNO Timestamp Principal > > ---- ----------------- > > -------------------------------------------------------- > > 2 12/31/69 20:00:00 HTTP/[EMAIL PROTECTED] > > > [EMAIL PROTECTED]:/usr/www/kerberos/bin # kvno HTTP/fc650dr.fc.fujitsu.com > > HTTP/[EMAIL PROTECTED]: kvno = 2 > > > I tried creating a keytab on the Solaris machine using ktutil with > > this command: > > addent -password -p HTTP/[EMAIL PROTECTED] -k 2 -e > > des-cbc-md5 > > > but the result is the same as above when testing with this keytab > > also. > > > Any idea what can be wrong here? Any ideas much appreciated. > > > Thanks. > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > >https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444
That could be the case. But what about the fact mentioned that I created a keytab using ktutil addent as shown on the Solaris box, supplying the password, and I still get the same result? But when I kinit with this same password I get the ticket? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
