Javier Palacios wrote: > Personally, I got many problems while using ktpass to create a keytab.
We don't use it either, but msktutil instead. But Jarek was using ktpass so my suggestion was to understand what is going on under the covers and use ktpass correctly. > > You could try to use samba in AD mode, or CSS adkadmin. > > Javier Palacios > > > On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert<[email protected]> wrote: >> >> jarek wrote: >>> Hi all! >>> >>> I've configured Debian with pam_krb5, and I can login using username and >>> password to sshd. I've tried to use also ticket login, and I have >>> problem with it. As I understand I need for this keytab file. But >>> whenever I put krb5.keytab into /etc I can't login at all (even with >>> password). auth.log says: >>> >>> (pam_krb5): none: pam_sm_authenticate: entry (0x1) >>> (pam_krb5): apache: attempting authentication as [email protected] >>> (pam_krb5): apache: credential verification failed: Server not found in >>> Kerberos database >>> (pam_krb5): apache: pam_sm_authenticate: exit (failure) >>> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 >>> tty=ssh ruser= rhost=192.168.1.181 user=apache >>> >>> I've created keytab for apache, which is used by >>> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket. >>> >>> The keytab was created on W2008 server with the following command: >>> >>> ktpass -out host-nms.keytab -princ host/[email protected] >>> -mapuser [email protected] -mapOp set -pass <secret> -crypto >>> DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly >> >> I don't thing you are understanding what the ktpass is doing. >> You need a user or computer account in AD that will have a password, >> and (usually only one) servicePrincipalName. The -mapuser is the name >> of this account. >> >>> By the way, can someone tell me what for is this password in ktpass >>> command ? >> The -pass option is used to change the password stored in the account, >> and to create the key in the keytab file. So you must be an AD admin >> to run this (Unlike most KDCS which store the key, AD generates the key >> on the fly from the stored password when a service ticket is created.) The >> password in AD and the key in the keytab must be kept in sync. The kvno >> in the keytab and the msDS-keyVersionNumber in the account must also match. >> >> If you are going to be adding a lot of hosts to AD, have a look at the >> msktutil package. A debian version is available that works with W2008 >> and can generate AES keys too. msktutil-0.3.16-7 >> >> http://download.systemimager.org/~finley/msktutil/ >> >>> Best regards >>> J. >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> -- >> >> Douglas E. Engert <[email protected]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
