Hi Alon, got it finally working after reinstalling the OS and new configuration of the services.
Thanks for your help! Ralf -----Ursprüngliche Nachricht----- Von: Alon Bar-Lev [mailto:[email protected]] Gesendet: Mittwoch, 9. November 2011 10:22 An: Gnädinger Ralf Cc: [email protected] Betreff: Re: 2003 R2 AD servicePrincipalName issue If 'net ads testjoin' works, there is no reason other stuff won't... Try: # kdestroy # kinit -kt /etc/krb5.keytab -S HTTP/[email protected] 'JP-SYS8$' # klist Are you sure you trying to access the server using fqn dns? How do you test this? Did you try a simple IE in intranet zone? 2011/11/9 Gnädinger Ralf <[email protected]>: > Hi Alon, > > I`ve done everything you wrote below. > Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST > or HTTP/jp-sys8 works, with jp-sys8.joma.de not)... > > kvno HOST/jp-sys8 > HOST/[email protected]: kvno = 2 > > Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either. > > The servicePrincipalNames in our AD: > > Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de: > HTTP/jp-sys8.joma.de > HTTP/jp-sys8 > HOST/jp-sys8.joma.de > HOST/JP-SYS8 > > My krb5.keytab has the following entries: > > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > ---------------------------------------------------------------------- > ---- > 2 host/[email protected] (DES cbc mode with CRC-32) > 2 host/[email protected] (DES cbc mode with RSA-MD5) > 2 host/[email protected] (ArcFour with HMAC/md5) > 2 host/[email protected] (DES cbc mode with CRC-32) > 2 host/[email protected] (DES cbc mode with RSA-MD5) > 2 host/[email protected] (ArcFour with HMAC/md5) > 2 [email protected] (DES cbc mode with CRC-32) > 2 [email protected] (DES cbc mode with RSA-MD5) > 2 [email protected] (ArcFour with HMAC/md5) > 2 HTTP/[email protected] (DES cbc mode with CRC-32) > 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) > 2 HTTP/[email protected] (ArcFour with HMAC/md5) > 2 HTTP/[email protected] (DES cbc mode with CRC-32) > 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) > 2 HTTP/[email protected] (ArcFour with HMAC/md5) > > Of course the authentication via apache2 wouldn`t work, I think kinit > should work first but I have no clue what`s going wrong here :( > > Thanks > > Ralf > > -----Ursprüngliche Nachricht----- > Von: Alon Bar-Lev [mailto:[email protected]] > Gesendet: Mittwoch, 9. November 2011 08:46 > An: Gnädinger Ralf > Cc: [email protected] > Betreff: Re: 2003 R2 AD servicePrincipalName issue > > 0. Delete everything you did from active directory Computer spn and > everything. > > 1. Make sure active directory can resolve and reverse resolve your server. > ping server.xxx.com > ping -a ip.a.dd.res > > 2. Edit /etc/krb5.conf > --- > [libdefaults] > default_realm = XXX.COM > forwardable = true > > [realms] > > [domain_realm] > > [logging] > --- > > 3. Install samba > > 4. Edit /etc/smb.conf > Modify: > workgroup = XXX > security = ads > kerberos method = system keytab > client use spnego = yes > realm = XXX.COM > local master = no > > 5. Run: > # net ads join -U Administrator > # net ads testjoin > # net ads keytab create -U Administrator # net ads keytab add HTTP -U > Administrator > > 6. Allow apache access keytab > chgrp apache /etc/krb5.keytab > chmod g+r /etc/krb5.keytab > > 7. Configure mod_auth_kerb > --- > AuthName "Kerberos Login" > AuthType Kerberos > Krb5Keytab /etc/krb5.keytab > KrbAuthRealm XXX.COM > --- > > Good luck! > > 2011/11/9 Gnädinger Ralf <[email protected]> >> >> Hi all, >> >> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze >> box with our company 2003 R2 active directory service. >> >> After I configured Kerberos on my linux box I am able to get a ticket using >> kinit username. >> >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 11/09/11 07:51:29 11/09/11 17:51:17 krbtgt/[email protected] >> renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with >> HMAC/md5, ArcFour with HMAC/md5 >> >> Then I created a computer account and added the service principal >> names like this in our AD >> >> #setspn -R jp-sys8 >> #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8 >> >> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de: >> HOST/jp-sys8.joma.de >> HOST/jp-sys8 >> HTTP/jp-sys8.joma.de >> >> Now when I use kvno on my linux box it is possible to get the version >> like this >> >> # kvno HOST/jp-sys8 >> HOST/[email protected]: kvno = 2 >> >> but if I try HOST/jp-sys8.joma.de it`s not working... >> >> # kvno HOST/jp-sys8.joma.de >> kvno: Server not found in Kerberos database while getting credentials >> for HOST/[email protected] >> >> When I am adding HTTP/jp-sys8 as service principal it is the same >> HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t. >> >> Is there anything i`ve missed? >> >> Thanks >> >> Ralf >> >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
