Date: Tue, 21 Jul 2015 08:42:50 -0500 From: Greg Groth <ggroth@gregs-garage.com> To: Raimund Sacherer <rs@logitravel.com> Cc: freebsd-questions@freebsd.org, owner-freebsd-questions@freebsd.org Subject: Re: Kerberos Message-ID: <206c1ceb58b14e4ce86fb2a27be3907c@mail.gregs-garage.com> In-Reply-To: <1705342318.38348913.1437127498114.JavaMail.zimbra@logitravel.com> References: <75d664eeb361264e9b4560a89b1a32bf@mail.gregs-garage.com> <1383995814.37100404.1437030764957.JavaMail.zimbra@logitravel.com> <4582000dcfad2dc26ca4076d2024f23f@mail.gregs-garage.com> <1705342318.38348913.1437127498114.JavaMail.zimbra@logitravel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2015-07-17 05:04, Raimund Sacherer wrote: > Hello Greg, > > on a first glance I can't see anything really out of order, if it > helps, I use(d) this pages to setup kerberos and apache auth: > http://www.grolmsnet.de/kerbtut/ > http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ > > The account you create for the service principal has to be a user > account, it does not work with a machine account. > > If you authenticate without the key tab, just a user from the ad > (create a user and test a kinit user@EXAMPLE.COM, later klist). Check > if a simple user authentication works in the first place. > > Hope that this will help you in any way, > > Best > Ray Many thanks for replying. I have to be doing something wrong with the ktpass command on the DC, but for the life of me, I'm not sure what the issue is. I created a user named aduser, and can obtain a ticket by using kinit aduser@EXAMPLE.COM from the BSD server, but using kinit -k aduser or kinit -t /etc/krb5.keytab aduser always returns "kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping" This is what I've been trying on the DC to create a keytab file: ktpass /princ HTTP/atbsd.example.com@EXAMPLE.COM /mapuser aduser@EXAMPLE.COM /pass P@$$word /crypto RC4-HMAC-NT /ptype RB5_NT_PRINCIPAL /out C:\temp\krb5.keytab Once I run the command on the DC, the userPrincipalName for aduser gets replaced with "HTTP/atbsd.example.com". Does the servicePrincipalName need to be set to the same as well? I've tried it with the UPN sert, the SPN set, and both the UPN & SPN set to "HTTP/atbsd.example.com", but it doesn't seem to make a difference. When I run ktutil list --keys on the BSD box, I get: Vno Type Principal Key Aliases 32 arcfour-hmac-md5 HTTP/atbsd.example.com@EXAMPLE.COM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX I thought I read somewhere that the DC is looking for a match on the UPN, which appears to be identical. The only other troubleshooting I've been able to do is to use a packet sniffer, and it appears that the DC is waiting for a password which is never supplied? I have not installed the krb5 port, and have been using whatever version is installed in the base distro (heimdal?). I noted on the TechNet page at MS that ktpass is based on the MIT version of Kerberos. Do I need the krb5 port in place of whatever version is included in the base distro to get this to work? Best regards, Greg Groth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?206c1ceb58b14e4ce86fb2a27be3907c>