Personally, I got many problems while using ktpass to create a keytab. You could try to use samba in AD mode, or CSS adkadmin.
Javier Palacios On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert<[email protected]> wrote: > > > jarek wrote: >> Hi all! >> >> I've configured Debian with pam_krb5, and I can login using username and >> password to sshd. I've tried to use also ticket login, and I have >> problem with it. As I understand I need for this keytab file. But >> whenever I put krb5.keytab into /etc I can't login at all (even with >> password). auth.log says: >> >> (pam_krb5): none: pam_sm_authenticate: entry (0x1) >> (pam_krb5): apache: attempting authentication as [email protected] >> (pam_krb5): apache: credential verification failed: Server not found in >> Kerberos database >> (pam_krb5): apache: pam_sm_authenticate: exit (failure) >> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 >> tty=ssh ruser= rhost=192.168.1.181 user=apache >> >> I've created keytab for apache, which is used by >> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket. >> >> The keytab was created on W2008 server with the following command: >> >> ktpass -out host-nms.keytab -princ host/[email protected] >> -mapuser [email protected] -mapOp set -pass <secret> -crypto >> DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly > > > I don't thing you are understanding what the ktpass is doing. > You need a user or computer account in AD that will have a password, > and (usually only one) servicePrincipalName. The -mapuser is the name > of this account. > >> >> By the way, can someone tell me what for is this password in ktpass >> command ? > > The -pass option is used to change the password stored in the account, > and to create the key in the keytab file. So you must be an AD admin > to run this (Unlike most KDCS which store the key, AD generates the key > on the fly from the stored password when a service ticket is created.) The > password in AD and the key in the keytab must be kept in sync. The kvno > in the keytab and the msDS-keyVersionNumber in the account must also match. > > If you are going to be adding a lot of hosts to AD, have a look at the > msktutil package. A debian version is available that works with W2008 > and can generate AES keys too. msktutil-0.3.16-7 > > http://download.systemimager.org/~finley/msktutil/ > >> >> Best regards >> J. >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
