Vitaly Tskhovrebov wrote: > Hi. > > > > I'm trying to use krb authentication on linux box with apache. > > > > I've done the following on W2K3 PDC: > > > > ktpass -princ host/[email protected] -pass qwerty -mapuser > D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1 > > Successfully mapped host/[email protected] to web_http. > > WARNING: pType and account type do not match. This might cause problems. > > Key created. > > Output keytab to host.keytab: > > Keytab version: 0x502 > > keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn > > o 1 etype 0x17 (RC4-HMAC) keylength 16 (0xeddf60686996d8ba2d81cfd15da42bd3) > > > > the same for > > ktpass -princ HTTP/[email protected] -pass qwerty -mapuser > D\web_http -out http.keytab -kvno 1 > >
You may have updated the msDS-keyVersionNumber in the DC. Use ldap or some MS tool like ADSI-edit to look for this attribute on the web_http account. Also look at the userPrincipalName, ServicePrincipalName and sAMAccountName attributes too. > > and then > > setspn.exe -A HTTP/web.company.ru web Should this be web_http? Did it work? You should also consider using two separate accounts and two separate keytab files, one for host/... and oner for HTTP/... Each would then have its own key. > > > > after that I made several steps on linux box making a keytab for apache, and > trying to test: > > > > ktutil: read_kt host.keytab > > ktutil: read_kt http.keytab > > ktutil: list > > slot KVNO Principal > > ---- ---- ------------------------------------ > > 1 1 host/[email protected] > > 2 1 HTTP/[email protected] > > ktutil: write_kt apache.keytab > > > > > > kinit -t apache.keytab -k HTTP/[email protected] > > # IT'S OK! > > > > kinit -t apache.keytab -k host/[email protected] > > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > > > Ethereal told that krb5kdc_err_s_principal_unknown. > > > > Where I'm wrong? > > > > -- > > Vitaly. > > > > > > ------------------------------------------------------------------------ > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
