"John Jasen" <[email protected]> wrote in message news:[email protected]... > > Please forgive me if this is not the right venue. > > I seem to have not found the magic required to use kerberos service > principal names on unix systems against an Active Directory server. > > In the one particular example, we're trying to use kerberized NFS, so > the server daemon needs to be able to find nfs/f...@realm. > > I can see the entries in the computer accounts servicePrincipalName > field, but the various UNIX systems can't find them -- either on service > initialization, or attempting kinit from commandline with the system > keytab. > > IE: > > klist -ke /etc/krb5.keytab | grep host > > 2 host/[email protected] (DES cbc mode with CRC-32) > > [r...@kernelpanic ~]# kinit host/kernelpanic.example.com -kt > /etc/krb5.keytab > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > (same results if I do host/[email protected]) > > This behavior holds true for OS X kerberos clients, Red Hat 4 and 5 > kerberos clients, and Solaris 10 kerberos clients. I can provide the > versions if required. > > The AD server in question is Windows 2003 R2. > > The only way I've found around this is to set the userPrincipalName in > AD to the service I really really need. > > ie: in the case above, userPrincipalName is set to > nfs/[email protected]. After doing that, I can kinit > that service principal successfully, and the service dependent on it can > also initialize correctly. > >>From my testing, using ktpass.exe to write a keytab file seems to pretty > much automatically set the userPrincipalName to the last entry created. > Unfortunately, if you have a multi-role server, this creates > difficulties. (ie: trying to use http/hostname and sql/hostname). > > Is there a way around this that I've missed? An option either on the > client side or the server side that I've missed? >
You might want to use a tool like msktutil from Dan Perry http://dag.wieers.com/rpm/packages/msktutil/ to create your AD entry and keytab. 1) kinit administra...@domain ( or an account which has access to a newly created OU (e.g. OU=UnixKerberos). You need to replace below CN=COMPUTERS with OU=UnixKerberos) 2) msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k /etc/krb5.keytab --computer-name <host>-host --upn host/<fqdn> --server <domain controller> --verbose 3) msktutil -c -b "CN=COMPUTERS" -s nfs/<fqdn> -h <fqdn> -k /etc/krb5.keytab --computer-name <host>-nfs --upn nfs/<fqdn> --server <domain controller> --verbose Regards Markus > -- > -- John E. Jasen ([email protected]) > -- No one will sorrow for me when I die, because those who would > -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
