I found the problem with msktutil. It uses the wrong salt. For a computer name with uppercase parts (e.g. squid-HTTP) it uses DOM.LOCALhostsquid-HTTP.dom.local as salt instead of DOM.LOCALhostsquid-http.dom.local.
Markus "Markus Moeller" <[email protected]> wrote in message news:[email protected]... > Is it possible that Windows 2008 is maping HTTP principal to host > principals ? > > With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my > apache/squid module created an error "Decrypt integrity check failed" and > a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt > /etc/host.keytab host/fqdn works. > > When I remove the AD entry which msktutil created for HTTP/fqdn and leave > the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn. Now > I used ktutil to create a HTTP keytab > > # ktutil > ktutil: addent -key -p HTTP/[email protected] -k 2 -e > aes256-cts-hmac-sha1-96 > Key for HTTP/[email protected] (hex): > 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03 > ktutil: wkt /etc/HTTP.keytab > ktutil: quit > > I can use the HTTP. keytab with kinit and I can also use it now for > apache/squid. > > It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a > request for host/fqdn and ignores entries with a serviceprincipal set to > HTTP/fqdn. > > Can anybody confirm that ? Oe what do I do wrong ? > > Thank you > Markus > > "Markus Moeller" <[email protected]> wrote in message > news:[email protected]... >>I was too quick. I get it to work with host/fqdn (e.g. kinit -kt >> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use >> AES-256 CTS mode with 96-bit SHA-1 HMAC. >> >> klist -ekt /etc/krb5.keytab >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 3 08/29/09 20:54:49 host/[email protected] (ArcFour with >> HMAC/md5) >> 3 08/29/09 20:54:49 host/[email protected] (AES-128 CTS mode >> with 96-bit SHA-1 HMAC) >> 3 08/29/09 20:54:49 host/[email protected] (AES-256 CTS mode >> with 96-bit SHA-1 HMAC) >> >> klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: host/[email protected] >> >> Valid starting Expires Service principal >> 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/[email protected] >> renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode >> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC >> >> >> >> klist -ekt /etc/HTTP.keytab >> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 2 08/29/09 21:39:35 HTTP/[email protected] (ArcFour with >> HMAC/md5) >> 2 08/29/09 21:39:35 HTTP/[email protected] (AES-128 CTS mode >> with 96-bit SHA-1 HMAC) >> 2 08/29/09 21:39:35 HTTP/[email protected] (AES-256 CTS mode >> with 96-bit SHA-1 HMAC) >> >> >> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local >> kinit(v5): Preauthentication failed while getting initial credentials >> >> Markus >> >> >> "Markus Moeller" <[email protected]> wrote in message >> news:cf5a795e7b16440fa314ed54d5645...@vaiolaptop... >>> Wolf-Agathon, >>> >>> I did export the keytab, but I found out the Hotfix 951191 was not >>> installed on the 2008 DC. >>> >>> Markus >>> >>> ----- Original Message ----- >>> From: "Wolf-Agathon Schaly" <[email protected]> >>> To: <[email protected]>; <[email protected]> >>> Sent: Saturday, August 29, 2009 11:27 AM >>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows >>> 2008 >>> >>> >>>> Howdy Markus >>>> >>>> Sound to me that you're trying to use a kaytab without expoting the key >>>> to >>>> your keytab file test.keytab >>>> >>>> am I right ? >>>> >>>> cheers >>>> Wolf-Agathon >>>> >>>> >>>> ----- Original Nachricht ---- >>>> Von: Markus Moeller <[email protected]> >>>> An: [email protected] >>>> Datum: 29.08.2009 00:07 >>>> Betreff: msktutil problem with Windows 2008 >>>> >>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >>>>> 2008, >>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get >>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need >>>>> to >>>>> be >>>>> >>>>> changed ? >>>>> >>>>> Thank you >>>>> Markus >>>>> >>>>> >>>>> ________________________________________________ >>>>> Kerberos mailing list [email protected] >>>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> >>>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
