Hi Alon, I`ve done everything you wrote below. Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST or HTTP/jp-sys8 works, with jp-sys8.joma.de not)...
kvno HOST/jp-sys8 HOST/[email protected]: kvno = 2 Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either. The servicePrincipalNames in our AD: Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de: HTTP/jp-sys8.joma.de HTTP/jp-sys8 HOST/jp-sys8.joma.de HOST/JP-SYS8 My krb5.keytab has the following entries: Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/[email protected] (DES cbc mode with CRC-32) 2 host/[email protected] (DES cbc mode with RSA-MD5) 2 host/[email protected] (ArcFour with HMAC/md5) 2 host/[email protected] (DES cbc mode with CRC-32) 2 host/[email protected] (DES cbc mode with RSA-MD5) 2 host/[email protected] (ArcFour with HMAC/md5) 2 [email protected] (DES cbc mode with CRC-32) 2 [email protected] (DES cbc mode with RSA-MD5) 2 [email protected] (ArcFour with HMAC/md5) 2 HTTP/[email protected] (DES cbc mode with CRC-32) 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) 2 HTTP/[email protected] (ArcFour with HMAC/md5) 2 HTTP/[email protected] (DES cbc mode with CRC-32) 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) 2 HTTP/[email protected] (ArcFour with HMAC/md5) Of course the authentication via apache2 wouldn`t work, I think kinit should work first but I have no clue what`s going wrong here :( Thanks Ralf -----Ursprüngliche Nachricht----- Von: Alon Bar-Lev [mailto:[email protected]] Gesendet: Mittwoch, 9. November 2011 08:46 An: Gnädinger Ralf Cc: [email protected] Betreff: Re: 2003 R2 AD servicePrincipalName issue 0. Delete everything you did from active directory Computer spn and everything. 1. Make sure active directory can resolve and reverse resolve your server. ping server.xxx.com ping -a ip.a.dd.res 2. Edit /etc/krb5.conf --- [libdefaults] default_realm = XXX.COM forwardable = true [realms] [domain_realm] [logging] --- 3. Install samba 4. Edit /etc/smb.conf Modify: workgroup = XXX security = ads kerberos method = system keytab client use spnego = yes realm = XXX.COM local master = no 5. Run: # net ads join -U Administrator # net ads testjoin # net ads keytab create -U Administrator # net ads keytab add HTTP -U Administrator 6. Allow apache access keytab chgrp apache /etc/krb5.keytab chmod g+r /etc/krb5.keytab 7. Configure mod_auth_kerb --- AuthName "Kerberos Login" AuthType Kerberos Krb5Keytab /etc/krb5.keytab KrbAuthRealm XXX.COM --- Good luck! 2011/11/9 Gnädinger Ralf <[email protected]> > > Hi all, > > I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze box > with our company 2003 R2 active directory service. > > After I configured Kerberos on my linux box I am able to get a ticket using > kinit username. > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 11/09/11 07:51:29 11/09/11 17:51:17 krbtgt/[email protected] > renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with > HMAC/md5, ArcFour with HMAC/md5 > > Then I created a computer account and added the service principal > names like this in our AD > > #setspn -R jp-sys8 > #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8 > > Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de: > HOST/jp-sys8.joma.de > HOST/jp-sys8 > HTTP/jp-sys8.joma.de > > Now when I use kvno on my linux box it is possible to get the version > like this > > # kvno HOST/jp-sys8 > HOST/[email protected]: kvno = 2 > > but if I try HOST/jp-sys8.joma.de it`s not working... > > # kvno HOST/jp-sys8.joma.de > kvno: Server not found in Kerberos database while getting credentials > for HOST/[email protected] > > When I am adding HTTP/jp-sys8 as service principal it is the same > HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t. > > Is there anything i`ve missed? > > Thanks > > Ralf > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
