Vitaly Tskhovrebov wrote: > It's work now. Dunno, what was wrong. > I just came to work on the morning.
AD takes its time replicating the entries, that could be the issue. As you might be looking at different DCs that have not been updated. So when you are updating, computer accounts and using ktpass you may have to wait a bit. We don't use ktpass but msktutil instead: http://download.systemimager.org/~finley/msktutil/ (If you use this, If the service name is not lowercase, use the --computer-name option rather then letting it derive the name.) > > -- > Vitaly. > > > -----Original Message----- > From: Douglas E. Engert [mailto:[email protected]] > Sent: Thursday, December 10, 2009 10:27 PM > To: Vitaly Tskhovrebov > Cc: [email protected] > Subject: Re: ktpass troubles > > > > Vitaly Tskhovrebov wrote: >> Hi. >> >> >> >> I'm trying to use krb authentication on linux box with apache. >> >> >> >> I've done the following on W2K3 PDC: >> >> >> >> ktpass -princ host/[email protected] -pass qwerty -mapuser >> D\web_http -out host.keytab -ptype KRB5_NT_SRV_HST -kvno 1 >> >> Successfully mapped host/[email protected] to web_http. >> >> WARNING: pType and account type do not match. This might cause problems. >> >> Key created. >> >> Output keytab to host.keytab: >> >> Keytab version: 0x502 >> >> keysize 75 host/web.company.ru ptype 3 (KRB5_NT_SRV_HST) vn >> >> o 1 etype 0x17 (RC4-HMAC) keylength 16 > (0xeddf60686996d8ba2d81cfd15da42bd3) >> >> >> the same for >> >> ktpass -princ HTTP/[email protected] -pass qwerty -mapuser >> D\web_http -out http.keytab -kvno 1 >> >> > > You may have updated the msDS-keyVersionNumber in the DC. > Use ldap or some MS tool like ADSI-edit to look for this attribute > on the web_http account. > Also look at the userPrincipalName, ServicePrincipalName and > sAMAccountName attributes too. > >> and then >> >> setspn.exe -A HTTP/web.company.ru web > > Should this be web_http? Did it work? > > You should also consider using two separate accounts and two separate > keytab files, one for host/... and oner for HTTP/... Each would > then have its own key. > > >> >> >> after that I made several steps on linux box making a keytab for apache, > and >> trying to test: >> >> >> >> ktutil: read_kt host.keytab >> >> ktutil: read_kt http.keytab >> >> ktutil: list >> >> slot KVNO Principal >> >> ---- ---- ------------------------------------ >> >> 1 1 host/[email protected] >> >> 2 1 HTTP/[email protected] >> >> ktutil: write_kt apache.keytab >> >> >> >> >> >> kinit -t apache.keytab -k HTTP/[email protected] >> >> # IT'S OK! >> >> >> >> kinit -t apache.keytab -k host/[email protected] >> >> kinit(v5): Client not found in Kerberos database while getting initial >> credentials >> >> >> >> Ethereal told that krb5kdc_err_s_principal_unknown. >> >> >> >> Where I'm wrong? >> >> >> >> -- >> >> Vitaly. >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
