[SOLVED] RE: [External] - Re: Issues getting Kerberos to work with realmd and Active Directory
Thank you all for your responses. Fortunately for me, just running klist and picking the UPN form got me past this issue, but if I run into any issues in the future I will employ those other solutions. I appreciate the help! -Wes Public Content -Original Message- From: Simo Sorce Sent: Thursday, July 30, 2020 12:33 PM To: Wesley Taylor ; kerberos@mit.edu Subject: [External] - Re: Issues getting Kerberos to work with realmd and Active Directory CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Wesley, when joining hosts to AD a computer account is created and a UPN and SPNs are set on it. Unlike MIT kerberos in AD heavy use of aliases is employed so each host have a "host password/key" that is shared with all the aliases created. Most notably there are the UPN, generally of the form computername$@REALM and the SPNs which are a large number of service/fqdn@REALM principal names. The important part here is that while you can get tickets for any of those names (the KDC has many canonicalization rules that will also match in a case-insensitive way) when you ask for a TGT (the kinit operation) AD normally will accept a request only if the UPN form is used as the client principal and will refuse other forms (even though the key is the same). realmd has an option to specify what to set the UPN to to change the default AD behavior. (See the --user-principal option in realm.8 manpage). You can use it to control what to use at join time, then you should be able to use exactly that name to kinit from the generated keytan. HTH, Simo. On Thu, 2020-07-30 at 17:00 +, Wesley Taylor wrote: > Hi All, > > I am trying to get HTCondor with Kerberos authentication ( > https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fhtc > ondor.readthedocs.io%2Fen%2Fstable%2Fadmin-manual%2Fsecurity.html%3Fhi > ghlight%3DKerberos%23kerberos-authenticationdata=02%7C01%7C%7Cbb5 > bd43850e34b17771508d834b70953%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7 > C0%7C637317308723651795sdata=uYxqJbuTqP8JbYm8Qx4oZjyGKhI1hTVWkAYH > IKooivI%3Dreserved=0 > ) to work on some linux machines I have which I joined to Windows > Active Directory with realmd. HTCondor tries to authenticate with the > machine principal, but I am having a hard time figuring out what that > is. When I run 'klist -k' I see a bunch of entries from > /etc/krb5.keytab along the lines of host/fqdn@REALM. However, when I > run 'kinit -k' I get "kinit: Client $(hostname) not found in Kerberos > database". > > I then interrogated the realm with adcli, using 'adcli testjoin -- > verbose' and it outputs the computer account name as > HOST/HOSTNAME@REALM. When I run 'kinit -k HOST/HOSTNAME@REALM' I get > back the error "kinit: Keytab contains no suitible keys for > HOST/HOSTNAME@REALM". > > I am confused because when I run 'adcli update --verbose' it says it > updated the keytab at /etc/krb5.keytab and outputs the same account > name (which I am assuming is the principal for the computer) as adcli > testjoin. I am really scratching my head about this, what am I doing > wrong here? > > Thanks, > Wes > > > Public Content > > The information contained in this e-mail and any attachments from > Numerica Corporation may contain confidential and/or proprietary > information, and is intended only for the named recipient to whom it > was originally addressed. If you are not the intended recipient, any > disclosure, distribution, or copying of this e-mail or its attachments > is strictly prohibited. If you have received this e-mail in error, > please notify the sender immediately by return e-mail and permanently > delete the e-mail and any attachments. > > > Kerberos mailing list Kerberos@mit.edu > https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Fmai > lman.mit.edu%2Fmailman%2Flistinfo%2Fkerberosdata=02%7C01%7C%7Cbb5 > bd43850e34b17771508d834b70953%7Cfae7a2aedf1d444e91bebabb0900b9c2%7C0%7 > C0%7C637317308723661788sdata=pJu5e9HEezwdpbsZUWEVtaC0chLiI0%2BiMV > MV2UeuO5c%3Dreserved=0 > -- Simo Sorce RHEL Crypto Team Red Hat, Inc smime.p7s Description: S/MIME cryptographic signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Issues getting Kerberos to work with realmd and Active Directory
Wesley, when joining hosts to AD a computer account is created and a UPN and SPNs are set on it. Unlike MIT kerberos in AD heavy use of aliases is employed so each host have a "host password/key" that is shared with all the aliases created. Most notably there are the UPN, generally of the form computername$@REALM and the SPNs which are a large number of service/fqdn@REALM principal names. The important part here is that while you can get tickets for any of those names (the KDC has many canonicalization rules that will also match in a case-insensitive way) when you ask for a TGT (the kinit operation) AD normally will accept a request only if the UPN form is used as the client principal and will refuse other forms (even though the key is the same). realmd has an option to specify what to set the UPN to to change the default AD behavior. (See the --user-principal option in realm.8 manpage). You can use it to control what to use at join time, then you should be able to use exactly that name to kinit from the generated keytan. HTH, Simo. On Thu, 2020-07-30 at 17:00 +, Wesley Taylor wrote: > Hi All, > > I am trying to get HTCondor with Kerberos authentication ( > https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication > ) to work on some linux machines I have which I joined to Windows > Active Directory with realmd. HTCondor tries to authenticate with the > machine principal, but I am having a hard time figuring out what that > is. When I run 'klist -k' I see a bunch of entries from > /etc/krb5.keytab along the lines of host/fqdn@REALM. However, when I > run 'kinit -k' I get "kinit: Client $(hostname) not found in Kerberos > database". > > I then interrogated the realm with adcli, using 'adcli testjoin -- > verbose' and it outputs the computer account name as > HOST/HOSTNAME@REALM. When I run 'kinit -k HOST/HOSTNAME@REALM' I get > back the error "kinit: Keytab contains no suitible keys for > HOST/HOSTNAME@REALM". > > I am confused because when I run 'adcli update --verbose' it says it > updated the keytab at /etc/krb5.keytab and outputs the same account > name (which I am assuming is the principal for the computer) as adcli > testjoin. I am really scratching my head about this, what am I doing > wrong here? > > Thanks, > Wes > > > Public Content > > The information contained in this e-mail and any attachments from > Numerica Corporation may contain confidential and/or proprietary > information, and is intended only for the named recipient to whom it > was originally addressed. If you are not the intended recipient, any > disclosure, distribution, or copying of this e-mail or its > attachments is strictly prohibited. If you have received this e-mail > in error, please notify the sender immediately by return e-mail and > permanently delete the e-mail and any attachments. > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Simo Sorce RHEL Crypto Team Red Hat, Inc Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Issues getting Kerberos to work with realmd and Active Directory
On 7/30/20 1:00 PM, Wesley Taylor wrote: > I am confused because when I run 'adcli update --verbose' it says it updated > the keytab at /etc/krb5.keytab and outputs the same account name (which I am > assuming is the principal for the computer) as adcli testjoin. I am really > scratching my head about this, what am I doing wrong here? It might help to send a transcript of the klist -k output and the kinit commands. Note that the case of principal names is significant on the MIT krb5 side, and generally isn't on Windows. You can set the environment variable KRB5_TRACE to get additional information about what commands are trying to do behind the scenes, e.g. "KRB5_TRACE=/dev/stdout kinit -k host/hostname@REALM". Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Issues getting Kerberos to work with realmd and Active Directory
Hi All, I am trying to get HTCondor with Kerberos authentication (https://htcondor.readthedocs.io/en/stable/admin-manual/security.html?highlight=Kerberos#kerberos-authentication) to work on some linux machines I have which I joined to Windows Active Directory with realmd. HTCondor tries to authenticate with the machine principal, but I am having a hard time figuring out what that is. When I run 'klist -k' I see a bunch of entries from /etc/krb5.keytab along the lines of host/fqdn@REALM. However, when I run 'kinit -k' I get "kinit: Client $(hostname) not found in Kerberos database". I then interrogated the realm with adcli, using 'adcli testjoin --verbose' and it outputs the computer account name as HOST/HOSTNAME@REALM. When I run 'kinit -k HOST/HOSTNAME@REALM' I get back the error "kinit: Keytab contains no suitible keys for HOST/HOSTNAME@REALM". I am confused because when I run 'adcli update --verbose' it says it updated the keytab at /etc/krb5.keytab and outputs the same account name (which I am assuming is the principal for the computer) as adcli testjoin. I am really scratching my head about this, what am I doing wrong here? Thanks, Wes Public Content The information contained in this e-mail and any attachments from Numerica Corporation may contain confidential and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
